Getting Data In

Windows custom events logs not showing up in Splunk

yanivdutt
Explorer

Hi ,
Below is custom event logs which I am configuring on windows forwarder but they are not showing up in Splunk. We can see events coming from default events like system,security etc. Below is syntax I am using

[WinEventLog://Citirix Delivery Services]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog

alt text

Attached screenshot shows location of event logs

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Just some comments to that:

  • Isn't the name in your config file wrong? Shouldn't it be "Citrix Delivery Services" instead of "Citirix Delivery Services]" (notice the extra i)
  • I can't see your screenshot very well but there seems to be two blank spaces between Delivery and Services, is that the case?
  • Also, is "Citrix Delivery Services" the full path of your event log?
  • Finally, have you tried reading from any other log in the same folder such as "Internet Explorer" and see if that works?

Thanks,
J

0 Karma

yanivdutt
Explorer

@javiergn
Yes Citrix delivery services is complete folder. Somehow i started seeing data after windows server reboot. Now I am adding couple more customized . Below is events I want to see and screenshot. Is path mentioned correct ? This event is underneath other events from events view, but exist in same folder structure

[WinEventLog://Citrix-CDF_ErrorReporter/Admin]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog

alt text

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, as per the screenshot the path looks correct to me.
Hopefully that should be working just fine.

If you are happy with the resolution of this issue please do not forget to mark it as answered so that it can be closed.

Thanks,
J

0 Karma

yanivdutt
Explorer

Thanks for replying. It was typo in post. Was using correct syntax in my use case

[WinEventLog://Citrix Delivery Services]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog

0 Karma

javiergn
SplunkTrust
SplunkTrust

What about the other 3 points I mentioned above?
Did you manage to try any of that?

Regards,
J

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...