Assuming, these are under Event Viewer ( For example: Event Viewer > Windows Logs > Applications and Services ) you need to add monitors like below in the local inputs.conf of the Windows host in question. Example: Below is the way we specify the path of the channel from EventViewer for sending over UAC logs. This is to be defined under c:\program files\splunk forwarder\apps\splunk_TA_Windows\local\inputs.conf [WinEventLog:Microsoft-Windows-UAC/Operational]
disabled = 0 You will have to adjust the path of the channel ( log folder) accordingly to where those KMS logs are stored.. Check this link for getting the path correct: https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorWindowseventlogdata#Use_the_Full_Name_log_property_in_Event_Viewer_to_specify_complex_Event_Log_channel_names_properly Note: You can also get the path by right clicking on a sampe Event >> event properties >> Details >> XML View >> channel name Pls vote up or mark as Solution if it helps
... View more