Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Will someone tell me the command Splunk is using to read Windows security event logs?

danman06
Explorer
‎09-19-2018 10:30 AM

Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.

https://answers.splunk.com/answers/239644/how-to-troubleshoot-why-splunk-stopped-indexing-wm.html?ut...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2018 12:14 PM

Hi danman06,
if you're receiving _internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ).
You have to:

  • copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps;
  • then copy the default\inputs.conf file in local\inputs.conf;
  • modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0;
  • restart Splunk on Forwarder.

At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure Splunk_TA_Windows.

In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...