Getting Data In

sending wineventlog

belleke
Explorer

Hi, I’m quite new to splunk when it comes to sending data to splunk. I do have experience with making dashboards etc. I’ve got a problem receiving data from a windows pc. I’ve installed the universal forwarder on there and I’ve got another windows pc that acts as my enterprise environment. I do know that the forwarder is active and can see a connection. I want to send wineventlog data to splunk. I’ve made a input.conf and output.conf containing information for what I want to forward. But when I want to look it up in the search I have 0 events. I’m sure I’m doing some things wrong haha. I would like some help with it. Thanks! 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It looks like there's a typo in the hostname in the query.  Try host=*.  You can confirm a sourcetype was received using this search

index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"

Just change the 'series' value to the sourcetype you're looking for.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @belleke ,

install on the UF the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742 ), remembering that, by default all the inputs are disabled, so you have to create a new folder called "local" and copy the inputs.conf from the  default folder and modifying disabled=1 to disabled=0 for all the inputs you need.

Then install, the above Add-On also on the Splunk Server.

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you able to see the UF's internal logs in Splunk?  If not, then that problem must be resolved first.

Please share the WinEventLog inputs.conf stanza(s).

Please also tell how you are trying to search for the events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

belleke
Explorer

The first sreenshot is about UF's internal logs in Splunk. The second screenshot is my search string looking for winevent. I also wrote down my inputs.conf. I do apologize that I have little knowledge about this all. If I need to send more info or the right one 😉 please let me know, thanks!

belleke_1-1734010994864.png

belleke_3-1734011179656.png

 

inputs.conf=

[WinEventLog://Security]
disabled = 0
index = main
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5

@richgalloway 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It looks like there's a typo in the hostname in the query.  Try host=*.  You can confirm a sourcetype was received using this search

index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security"

Just change the 'series' value to the sourcetype you're looking for.

---
If this reply helps you, Karma would be appreciated.

belleke
Explorer

I've solved the issue, thanks for your help!

@richgalloway 

richgalloway
SplunkTrust
SplunkTrust

How did you solve it?

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @belleke ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

belleke
Explorer

@richgalloway 

Thanks for your reply, unfortunately I still have no luck. By the looks of it I'm not receiving any sourcetypes in splunk. I saw my typo mistake later but still wasn't able to receive any kind of data regarding wineventlogging. 
Any other suggestions what could be the issue?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...