What is the difference between these stanzas...
[WinEventLog://Application] disabled = 0 index=tablets sourcetype=tablet_App [WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Operational] disabled=0 index=tablets sourcetype=tablet_WLAN_Op [WinEventLog://Microsoft-Windows-WLAN-Autoconfig/Diagnostic] disabled=0 index=tablets sourcetype=tablet_WLAN_Diag
...and these stanzas?
[WinEventLog:Application] disabled = 0 index=tablets sourcetype=tablet_App [WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational] disabled=0 index=tablets sourcetype=tablet_WLAN_Op [WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Diagnostic] disabled=0 index=tablets sourcetype=tablet_WLAN_Diag
In the documentation, it says that in order to pick entries out of a file, specify the file path and name...but when picking events out of an .evtx file, it shows the second method (no "//" involved). I used the "//" method (the first methods) in my inputs.conf and I can get
//Applications and even
//...../Operations, but I'm not getting
Is the difference critical? Why does one work and not the other? When using Universal Forwarder, which is the more correct method? Why does it work for two but not the third?
Yes, the Diagnostic events are showing up in the Event Viewer. As you know, when you turn on Analytics and Diagnostics, that creates the additional categories, in this case the additional Diagnostic under WLAN-AutoConfig. So I can definitely see the events. Additionally, when I go into Properties for WAN-AutoConfig/Diagnostic enable the log, events logging can be confirmed by watching the file size of the created file and see that it increases.
I was looking in to your suggestion of monitoring these files as files, but unfortunately, they are created in binary format, and without having the interpreter of Universal Forwarder available, I cannot get any useable data. The alternative, copying the files over to our Splunk server, wouldn't work because as I understand it you need a server which corresponds to the device upon which the .evtx files are created in order to parse them...and our Splunk server is Linux.
The first set of stanza are syntactly correct for monitoring Windows event logs, second one is not as it's missing those slashes. The difference is critical (that's why we have syntax).
The window event log monitoring is different from regular file monitoring where you've to specify full path to the file. For windows event logs, you just need to specify the path/name they'll be seen in Windows Event Viewer (On windows machine, go to Run-> eventvwr.exe ).
This syntax is same for Universal forwarder OR Enterprise Splunk.
For the Window Event monitoring which is not working, check if the path/name is correct.
Thanks for the quick answer, Somesh.
So supposing I have the path/name correct, and it's still not digesting the .evtx file. What then? Both of these .evtx files live in the same directory... "C:\windows\system32\winevt\logs\", and they are both under the same provider "WLAN-AutoConfig"
They both have the same path and format. But Operation is getting events, and Diagnostic is not.
I wish I could get someone to replicate my results.
I would check if the Diagnostic event view logs are appearing on Event Viewer of that server (on the server where these files exists, go to Run-> eventvwr.exe ).
If you want to monitor those as files, instead of Windows Event Logs, then you can setup file monitoring. See this for mre details. http://docs.splunk.com/Documentation/Splunk/6.2.11/Data/MonitorWindowsdata