Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why are my Windows Event Logs not being forwarded ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are my Windows Event Logs not being forwarded properly with an intermediate forwarder?
I am using an intermediary server (server 2) to collect forwarded logs from many servers (server 3,4,5,etc) and then I use a Splunk forwarder on there to forward those events to my full splunk instance server (server 1).
However, my events are not being forwarded properly. On server 2 they look like this:
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {*****************}
EventID 4769
Version 0
Level 0
Task 14337
Opcode 0
Keywords 0x6020000000000000
- TimeCreated
[ SystemTime] 2015-02-23T14:17:22.10657400Z
EventRecordID 705673
Correlation
- Execution
[ ProcessID] 568
[ ThreadID] 5524
Channel Security
Computer ****************
Security
TargetUserName *********
TargetDomainName ************
ServiceName *********
ServiceSid *********
TicketOptions 0x40810345
TicketEncryptionType 0x13
IpAddress ***********
IpPort ********
Status 0x0
LogonGuid {************}
TransmittedServices -
[ Culture] en-US
Message [*long message here*]
Task Kerberos Service Ticket Operations
Opcode Info
Channel Security
Provider Microsoft Windows security auditing.
Keyword Audit Success
But in splunk it just appears as this:
02/23/2015 02:08:40 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Microsoft Windows security auditing.
ComputerName=************
TaskCategory=Microsoft Windows security auditing.
OpCode=Microsoft Windows security auditing.
RecordNumber=705673
Keywords=Microsoft Windows security auditing.
Message=Microsoft Windows security auditing.
What could be happening in between that is affecting my event details?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have had the setup " a long time ago" .. and it work without this kind of problems at least ... have you done some changes on the windows collector side as how to process or maybe write/ save the events down on disk again ?Xml versus text or something ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Just simply installed the splunk_TA_windows app onto my forwarder and that is what i got through.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaah yeah, but you need to some configuration on the windows side to have another windows server act as a "event log receiver" . This is were some of the things might get screwed up "already"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a linux server that is acting as the receiver though.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
