- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sswigart
Engager
03-27-2024
01:01 PM
I want to add C:\windows\system32\winevt\logs\Microsoft-Windows-DriverFrameworks-UserMode/Operational as a stanza in my inputs.conf.
How do I write the stanza?
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
03-27-2024
01:07 PM
Are those logs deliberately put in a file, or can they be viewed in the Windows Event Log?
If they are in the Windows Event Logs, then you can use a WinEventLog stanza:
[WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]
index=<your index>
sourcetype=<your sourcetype>
#etc
ref: https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
03-27-2024
01:07 PM
Are those logs deliberately put in a file, or can they be viewed in the Windows Event Log?
If they are in the Windows Event Logs, then you can use a WinEventLog stanza:
[WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]
index=<your index>
sourcetype=<your sourcetype>
#etc
ref: https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sswigart
Engager
03-27-2024
01:45 PM
Thank you!
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)