Splunk Enterprise

Forwarding and receiving no WinEventLog on Application, Security etc except Setup

Kitteh
Path Finder

My forwarder's conf:

Input:
[default]
host = IE8Win7

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

Output:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.0.1:9998

[tcpout-server://192.168.0.1:9998]

My receiver is set to listen on port 9998.
But in my Splunk Search & Reporting, it only shows WinEventLog:Setup in my Sourcetype and Source.

Tags (1)
0 Karma
1 Solution

Kitteh
Path Finder

Issue was solved, found out that Audit Policy in your gpedit.msc should be configured to enable auditing success and failure in Local Policies of the Computer.

View solution in original post

0 Karma

Kitteh
Path Finder

Issue was solved, found out that Audit Policy in your gpedit.msc should be configured to enable auditing success and failure in Local Policies of the Computer.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Kitteh,
download and install on your forwarders Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742/ ), in this way you have a correct configuration of windows inputs.
Eventually disable some inputs that you don't need.
If it's a test, it's not important, if you have a production environment I suggest to use a Deployment server to deploy all TAs.
bye.
Giuseppe

0 Karma

Kitteh
Path Finder

Splunk Add-on for Microsoft Windows was already in the installer together. before the add-on, i've selected all kinds of Windows log as the input but to no avail not sent except setup windows log

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Kitteh,
inputs.conf that you inserted in your question isn't the one in Windows TA, probably in is %SPLUNK_HOME/etc/system/local.
See in %SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf and verify which stanzas are enabled (or eventually in %SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf).
Or, if you have a Deployment server perform the same check in
%SPLUNK_HOME/etc/deploymentapps/Splunk_TA_windows/default/inputs.conf or in %SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf.
Bye.
Giuseppe

0 Karma

Kitteh
Path Finder

Hi cusello

my file in %SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf is currently like this in short:

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winapplication
renderXml=true

I've also created individual index for each logs like winsecurity, winsystem and winapplication. Is there anything gotta do with permissions in reading or transferring etc on the event viewer logs that i have to change, not sure if this is the issue.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Check log policy and clock on target server.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...