Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding Saved Windows Events

ashishv
Explorer
‎01-28-2011 09:46 PM

i have a windows splunk forwarder config'd to forward all local Events logs; i have a event log from another server that i imported on this machine and want splunk forwarder to send this log events to splunk server...

is this achievable? if yes, How?

what are some of the best practices to import Windows Events log for a particular Windows Event ID?

thanks Ashish

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎01-28-2011 11:10 PM

I am unsure, but believe the 'import' function is a data viewing operation?

We will try to read events from an evt or evtx file if you point splunk at it to monitor, but note that there can be problems with moving eventlog data from one system to another, where some values cannot be resolved because of nonpresent operating system or application dlls. This more typically will result in incomplete data (missing fields), more than a failure to read.

In general the windows eventlog api is much higher quality in vista and later revisions of the platform (vista, 7, 2008) than in earlier versions (xp, 2003), so it's preferable to run the eventlog collector on those later versions.

As for collecting a specific eventID, I cannot think of a nice way. You could definitely create props/transforms to discard all but your desired eventID for a given input by regex matching, but this is more than a bit tricky.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎01-31-2011 11:30 PM

The simple answer is that setting splunk to monitor the specific path should work. If that is not working for you, then I recommend working with splunk support to resolve the problem.

0 Karma
Reply
Solved! Jump to solution

ashishv
Explorer
‎01-31-2011 03:36 PM

splunk monitor is on Windows 7, Event logs are from Win2008 servers. when i try to import these evtx logs, it gives me the following error:

"Your entry was not saved. The following error was reported: SyntaxError: Unexpected token <"

Ashish

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...