Solved: windows logs monitoring

splkadmin · ‎12-27-2020

HI

I have installed the windows forward log on my windows machine with the default installation and I am receiving the event, system logs to the default main index

I have to add a logs directory eg D:/App/system/logs to my Splunk,

I have added through CLI using ./splunk add monitor D:/App/system/logs and restarted the service but unfortunately, still I am not receiving the logs to my Splunk index.

can you please your support to provide the details to add the log directory to the Splunk

gcusello · ‎12-28-2020

Hi @splkadmin,

If you need to index windows logs, at first, I hint to use the Splunk Windows TA (https://splunkbase.splunk.com/app/742/) where you can already find all the scripts and monitor stanzas to index all windows logs.

You have only to enable the stanzas you need.

Than I hint to not put the logs in the main index, but to send them to specific indexes (e.g. wineventlog, perfmon, msad, etc...) so you can manage accesses and retention for each one.

At least to monitor files in a folder, you can take one of the stanzas and copy it modifYing only the first row, otherwise follow the procedure at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

In few words:

if you alread have a Technical Add-on (e.g. Windows_TA) you can put the following stanza in the $SPLUNK_HOME\etc\apps\your_app\local\inputs.conf, otherwise you can create your own TA and put in inputs.conf:

[monitor://D:\App\system\logs\*.log]
disable = 0
index = your_index
Sourcetype = your_sourcetype

Here you can find a useful video:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-windows.html

Ciao.

Giuseppe

View solution in original post

gcusello · ‎12-28-2020

Hi @splkadmin,

If you need to index windows logs, at first, I hint to use the Splunk Windows TA (https://splunkbase.splunk.com/app/742/) where you can already find all the scripts and monitor stanzas to index all windows logs.

You have only to enable the stanzas you need.

Than I hint to not put the logs in the main index, but to send them to specific indexes (e.g. wineventlog, perfmon, msad, etc...) so you can manage accesses and retention for each one.

At least to monitor files in a folder, you can take one of the stanzas and copy it modifYing only the first row, otherwise follow the procedure at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

In few words:

if you alread have a Technical Add-on (e.g. Windows_TA) you can put the following stanza in the $SPLUNK_HOME\etc\apps\your_app\local\inputs.conf, otherwise you can create your own TA and put in inputs.conf:

[monitor://D:\App\system\logs\*.log]
disable = 0
index = your_index
Sourcetype = your_sourcetype

Here you can find a useful video:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-windows.html

Ciao.

Giuseppe

gcusello · ‎12-28-2020

Hi @splkadmin,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

windows logs monitoring

forwarder management

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

windows logs monitoring

forwarder management

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability