Solved: sending wineventlog

belleke · ‎12-12-2024

Hi, I’m quite new to splunk when it comes to sending data to splunk. I do have experience with making dashboards etc. I’ve got a problem receiving data from a windows pc. I’ve installed the universal forwarder on there and I’ve got another windows pc that acts as my enterprise environment. I do know that the forwarder is active and can see a connection. I want to send wineventlog data to splunk. I’ve made a input.conf and output.conf containing information for what I want to forward. But when I want to look it up in the search I have 0 events. I’m sure I’m doing some things wrong haha. I would like some help with it. Thanks!

richgalloway · ‎12-12-2024

It looks like there's a typo in the hostname in the query. Try host=*. You can confirm a sourcetype was received using this search

index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"

Just change the 'series' value to the sourcetype you're looking for.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello · ‎12-12-2024

Hi @belleke ,

install on the UF the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742 ), remembering that, by default all the inputs are disabled, so you have to create a new folder called "local" and copy the inputs.conf from the default folder and modifying disabled=1 to disabled=0 for all the inputs you need.

Then install, the above Add-On also on the Splunk Server.

Ciao.

Giuseppe

richgalloway · ‎12-12-2024

Are you able to see the UF's internal logs in Splunk? If not, then that problem must be resolved first.

Please share the WinEventLog inputs.conf stanza(s).

Please also tell how you are trying to search for the events.

---
If this reply helps you, Karma would be appreciated.

belleke · ‎12-12-2024

The first sreenshot is about UF's internal logs in Splunk. The second screenshot is my search string looking for winevent. I also wrote down my inputs.conf. I do apologize that I have little knowledge about this all. If I need to send more info or the right one 😉 please let me know, thanks!

inputs.conf=

[WinEventLog://Security]
disabled = 0
index = main
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5

@richgalloway

richgalloway · ‎12-12-2024

It looks like there's a typo in the hostname in the query. Try host=*. You can confirm a sourcetype was received using this search

index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"

Just change the 'series' value to the sourcetype you're looking for.

---
If this reply helps you, Karma would be appreciated.

belleke · ‎12-12-2024

I've solved the issue, thanks for your help!

@richgalloway

richgalloway · ‎12-12-2024

How did you solve it?

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎12-12-2024

Hi @belleke ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

belleke · ‎12-12-2024

@richgalloway

Thanks for your reply, unfortunately I still have no luck. By the looks of it I'm not receiving any sourcetypes in splunk. I saw my typo mistake later but still wasn't able to receive any kind of data regarding wineventlogging.
Any other suggestions what could be the issue?

sending wineventlog

inputs.conf

universal forwarder

Windows

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?