Getting Data In
Highlighted

Will someone tell me the command Splunk is using to read Windows security event logs?

Explorer

Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.

https://answers.splunk.com/answers/239644/how-to-troubleshoot-why-splunk-stopped-indexing-wm.html?ut...

0 Karma
Highlighted

Re: Will someone tell me the command Splunk is using to read Windows security event logs?

Legend

Hi danman06,
if you're receiving internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk
TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ).
You have to:

  • copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps;
  • then copy the default\inputs.conf file in local\inputs.conf;
  • modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0;
  • restart Splunk on Forwarder.

At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure SplunkTAWindows.

In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.

Bye.
Giuseppe

0 Karma