Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Unable to Collect SMBServer/Audit logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been unable to get the universal forwarders to correctly collect the SMB Server audit logs. The inputs.conf file on the deployment server has the following stanza configured but there are no logs flowing in. The other events in the inputs file work without any issues.
## Application and Services Logs - SMB Server Audit Log
[WinEventLog://Microsoft-Windows-SMBServer/Audit]
index = wineventlog
disabled = 0
start_from = oldest
current_only = 0
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, the above stanza is correct. I was just impatient I think. The next morning I had pretty much all the logs available to search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is that the correct path of where those logs are actually located? Also, you are going to want to make sure that Splunk is able to capture from that location. Might want to check permissions on the windows event log configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, were you able to get this working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, the above stanza is correct. I was just impatient I think. The next morning I had pretty much all the logs available to search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What sourcetype did your data come in with? Did you have to create the sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was at the time utilizing the Splunk add on for Windows. It came with some predefined sourcetypes for Win Event logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to fix it. It was permissions on Windows Event Logs. Used https://support.umbrella.com/hc/en-us/articles/115004063808-Using-wevtutil-to-check-Event-Log-permis... as reference to correct the channel access string for Microsoft-Windows-SMBServer/Audit. Thanks for the suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was splunkd running as SYSTEM or as a domain account? I tried both, restarted Splunk services and the DS, but while other Event IDs are coming as expected the Event ID 3000 (SMBServer Audit) logs are not coming in. Now that it is certain the path is correct, I'm thinking if it something related to permissions.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
