Hello, I'm trying to setup Splunk in a lab environment. I've got one windows client which I want to send logs over to my Splunk server via a UF. I am managing the endpoint's splunk config via a dep...
See more...
Hello, I'm trying to setup Splunk in a lab environment. I've got one windows client which I want to send logs over to my Splunk server via a UF. I am managing the endpoint's splunk config via a deployment server. This works fine, the client checks in, my apps get pushed to it, all fine. For windows logs, I'm using the Splunk TA for Windows (https://splunkbase.splunk.com/app/742/#/overview) with an inputs.conf as below [WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows
[WinEventLog://System]
disabled = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows
[WinEventLog://Application]
disabled = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows The app gets deployed correctly and I see the above inputs.conf in the %SPLUNK_HOME%/apps/Splunk_TA_windows/local/inputs.conf. However, in Splunk, I don't seem to be getting all the logs. In fact, I'm only getting event id 6xxx logs and very few (43 events/15mins) I can't figure out why all the logs aren't coming in but only a few irrelevant ones. Any help will be much appreciated. Thank you!