Splunk Search

Windows app and evtx files

gsawyer1
Engager

So then what is the recommended method for ingesting evtx files from Windows 2008? Also, when I enable and configure the Windows App to monitor my event logs, on both 2003 and 2008 servers, nothing is getting ingested. I verified that my account has full control over the Splunk installation directory. I am now manually entering the Windows stanzas in the inputs.conf file....

Tags (1)
0 Karma

ftk
Motivator

Does the account you are running Splunk under have sufficient privileges to access the Windows event logs in question?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Do you want to monitor the Event Logs, or do you want to load *.evtx files? The files are a byproduct of Windows Logging. If you want to log data, you should use Splunk's Windows Event Log monitoring, and forget about the files. Importing or monitoring the *.evtx files can be done, but is most useful if somehow you have copied them over away from the system where they are being generated.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...