Splunk Search

Can't get events from Exchange Auditing log

randok
New Member

I can get events from any other event log on the Exchange server but the "Exchange Auditing" log. Does anybody else has encountered this?

0 Karma

JSapienza
Contributor

Did you modify your inputs.conf to have a stanza pertaining to the "Exchange Auditing"?
Like such:

[WinEventLog:Exchange Auditing]

disabled = 0

Check out this link,it should clear things up.
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata

randok
New Member

Yes, splunk runs as a domain user. I'll try the server setting then.

0 Karma

JSapienza
Contributor

One other thing to make note of with remote collection. You will need to have Spunk services running as a domain\user with permissions on the remote box in order to collect successfully .
http://www.splunk.com/base/Documentation/latest/Data/MonitorWMIdata#Security_and_remote_access_consi...

0 Karma

JSapienza
Contributor

OK, then you will need to add the server setting to the stanza.

server =

A comma-separated list of servers from which to get data.
If not present, defaults to the local machine.

Have a look at the wmi.conf spec:
http://www.splunk.com/base/Documentation/4.2.1/admin/Wmiconf

0 Karma

randok
New Member

Thanks, but this way it tries to collect "Exchange Auditing" log from the localhost. From the remote server I still do not get anything.

0 Karma

randok
New Member

One more thing to mention - I'm using "Remote event log collections" for adding this log.

0 Karma

randok
New Member

Could the problem be that Exchange Auditing log is beeing kept not in system32\config directory but under Program Files and its not an *.evt file but *.evtx file?

0 Karma

randok
New Member

Unfortunately splunkd.log doesn't have any references to that particular log.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Could you elaborate on what occurs when you attempt to get Splunk to eat the log? Are you seeing anything in splunkd.log related to this particular file/input?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...