Solved: Windows 2008 Server Event Viewer Logs

kbecker · ‎08-30-2010

In the Server 2008 Event Viewer there are now a "Microsoft --> Windows" folders nested under the "Applications and Services Logs" section. What should the Splunk inputs.conf look like for the event logs under the "Microsoft" --> "Windows" folder. Specifically I am looking for the "PrintService --> Operational", but if anybody has any of these other logs being indexed the base input should be the same

**%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-**PrintService%4Operational.evtx

I tried the following with no success...

[WinEventLog:Microsoft:Windows:PrintService Operational]
[WinEventLog:PrintService Operational]

Thanks in advance...

kbecker · ‎09-03-2010

This is stanza required

[WinEventLog:Microsoft-Windows-PrintService/Operational]

Thanks to Ellen Hom with Splunk Support

View solution in original post

AaronMoorcroft · ‎04-09-2014

So is that all you need to have in your input.conf file ? or do you need somthing somewhere else ? I need to monitor that particular event log however im getting nothing currently, I did merge that event log with the system event log which did sort or work but not as I need it to.

AaronMoorcroft · ‎04-09-2014

dont worry managed to get it working with this -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
startfrom = oldest
currentonly = 0

after some restarting if the forwarders 🙂

cervelli · ‎10-13-2010

The add data interface will list these out as well. Even if you intended to deploy to a forwarder, you can still create the stanza as a sample on one Splunk to make sure the syntax is correct.

patelpin · ‎06-03-2013

Are you using "Splunk Forwarder" on the target Machine????

Windows 2008 Server Event Viewer Logs

Re: Windows 2008 Server Event Viewer Logs

Re: Windows 2008 Server Event Viewer Logs

Re: Windows 2008 Server Event Viewer Logs

Re: Windows 2008 Server Event Viewer Logs

Re: Windows 2008 Server Event Viewer Logs