Getting Data In

Will someone tell me the command Splunk is using to read Windows security event logs?


Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.

0 Karma

Esteemed Legend

Hi danman06,
if you're receiving _internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( ).
You have to:

  • copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps;
  • then copy the default\inputs.conf file in local\inputs.conf;
  • modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0;
  • restart Splunk on Forwarder.

At , you can find the documentation to install and configure Splunk_TA_Windows.

In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.


0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...