Splunk Search

Can't get events from Exchange Auditing log

New Member

I can get events from any other event log on the Exchange server but the "Exchange Auditing" log. Does anybody else has encountered this?

0 Karma

Contributor

Did you modify your inputs.conf to have a stanza pertaining to the "Exchange Auditing"?
Like such:

[WinEventLog:Exchange Auditing]

disabled = 0

Check out this link,it should clear things up.
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata

New Member

Yes, splunk runs as a domain user. I'll try the server setting then.

0 Karma

Contributor

One other thing to make note of with remote collection. You will need to have Spunk services running as a domain\user with permissions on the remote box in order to collect successfully .
http://www.splunk.com/base/Documentation/latest/Data/MonitorWMIdata#Security_and_remote_access_consi...

0 Karma

Contributor

OK, then you will need to add the server setting to the stanza.

server =

A comma-separated list of servers from which to get data.
If not present, defaults to the local machine.

Have a look at the wmi.conf spec:
http://www.splunk.com/base/Documentation/4.2.1/admin/Wmiconf

0 Karma

New Member

Thanks, but this way it tries to collect "Exchange Auditing" log from the localhost. From the remote server I still do not get anything.

0 Karma

New Member

One more thing to mention - I'm using "Remote event log collections" for adding this log.

0 Karma

New Member

Could the problem be that Exchange Auditing log is beeing kept not in system32\config directory but under Program Files and its not an *.evt file but *.evtx file?

0 Karma

New Member

Unfortunately splunkd.log doesn't have any references to that particular log.

0 Karma

Splunk Employee
Splunk Employee

Could you elaborate on what occurs when you attempt to get Splunk to eat the log? Are you seeing anything in splunkd.log related to this particular file/input?

0 Karma