Hi All absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27 I have enabled the Logging in SSMS and can actually see the Events from the SA login. My inputs.conf looks as follows [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = true index = "my index" The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated? cheers Oli
... View more