Getting Data In

Will someone tell me the command Splunk is using to read Windows security event logs?

danman06
Explorer

Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.

https://answers.splunk.com/answers/239644/how-to-troubleshoot-why-splunk-stopped-indexing-wm.html?ut...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi danman06,
if you're receiving _internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ).
You have to:

  • copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps;
  • then copy the default\inputs.conf file in local\inputs.conf;
  • modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0;
  • restart Splunk on Forwarder.

At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure Splunk_TA_Windows.

In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...