Did you modify your inputs.conf to have a stanza pertaining to the "Exchange Auditing"?
Like such:
[WinEventLog:Exchange Auditing]
disabled = 0
Check out this link,it should clear things up.
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata
Yes, splunk runs as a domain user. I'll try the server setting then.
One other thing to make note of with remote collection. You will need to have Spunk services running as a domain\user with permissions on the remote box in order to collect successfully .
http://www.splunk.com/base/Documentation/latest/Data/MonitorWMIdata#Security_and_remote_access_consi...
OK, then you will need to add the server setting to the stanza.
server =
A comma-separated list of servers from which to get data.
If not present, defaults to the local machine.
Have a look at the wmi.conf spec:
http://www.splunk.com/base/Documentation/4.2.1/admin/Wmiconf
Thanks, but this way it tries to collect "Exchange Auditing" log from the localhost. From the remote server I still do not get anything.
One more thing to mention - I'm using "Remote event log collections" for adding this log.
Could the problem be that Exchange Auditing log is beeing kept not in system32\config directory but under Program Files and its not an *.evt file but *.evtx file?
Unfortunately splunkd.log doesn't have any references to that particular log.
Could you elaborate on what occurs when you attempt to get Splunk to eat the log? Are you seeing anything in splunkd.log related to this particular file/input?