Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Analytic and Debug Events not showing up in Splunk

funnymie
New Member
‎06-04-2013 05:24 AM

Hello,

For monitoring Microsoft Hyper-V Manager actions I am trying to import analytic and debug logs into Splunk. Although these logs are populated in the Windows Event Viewer, no data shows up in the Splunk views.

What I did:
1. Installed the Hyper-V Server Role on Windows Server 2012
2. Opened the Event Viewer (eventvwr.msc), went to the View Menu and enabled the 'Show Analytic and Debug Logs' option.
3. Right clicked each of the 'Analytic' and 'Debug' logs in 'Applications and Services Logs\Microsoft\Windows\Hyper-V-*'
4. Configured Splunk to fetch data from all 'Hyper-V-*' event logs.
5. Created a new Virtual Machine using the 'New Virtual Machine' wizard in the 'Hyper-V Manager'

When looking at for example the 'Applications and Services Logs\Microsoft\Windows\Hyper-V-VMMS\Analytic' log in the Windows Event Viewer, data is shown regarding the creation of the Virtual Machine. Looking at the Splunks logs however, no data is collected from this log at all.

Any suggestions to tackle this issue?

Thanks in advance!

0 Karma
Reply

RDAVISS
Path Finder
‎12-02-2015 08:02 AM

I know this is old but I was hung up on the differences in syntax. Looks like hyper-v event logs don't use the commonly used forward slash but uses a dash instead.
Example:

Microsoft-Windows-Hyper-V-Hypervisor/Operational
Microsoft-Windows-Hyper-V-Hypervisor/Admin
VS
Microsoft-Windows-Hyper-V-Hypervisor-Operational
Microsoft-Windows-Hyper-V-Hypervisor-Admin

This stanza works for me. I am using a universal forwarder on a remote machine.
[WinEventLog://Microsoft-Windows-Hyper-V-Hypervisor-Operational]
disabled = 0

Also, make sure there are actual event entries in the Admin; mine was zero and took me a minute to figure that one out.

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎06-05-2013 08:07 AM

Yes, this does appear to be a config issue. Below is an example of the correct stanza definition -
Note, the forward slash before the channel name

[WinEventLog:Microsoft-Windows-Hyper-V-Config/Admin]
disabled = 0

Hope that helps!

0 Karma
Reply

funnymie
New Member
‎06-06-2013 07:14 AM

Thanks again for your reply!

Initially I used the webinterface to add these sources (which added the dashes), but now edited the inputs.conf as you instructed replacing the last dash with a slash.
After restarting the Splunk server however, no new data is being logged, not even from the logs that previously worked.

Some screenshots:
http://imageshack.us/a/img547/305/splunksummary.png
http://imageshack.us/a/img703/221/logcollections.png
http://imageshack.us/a/img12/6595/logcollectionslocalhost.png

This problem can also be reproduced on a non-server version of Windows.

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎06-04-2013 01:53 PM

Can you please provide the contents of the inputs.conf file which contains the event log configuration? I suspect it is a configuration issue due to which you're not seeing the events in Splunk.

0 Karma
Reply

funnymie
New Member
‎06-05-2013 04:15 AM

skylasam, thanks for your reply!

You can view the inputs.conf file here: http://pastebin.com/JzF4zAsB

Looking forward to your response.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...