Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarder add Windows Event log command line

kceleslie
Engager
‎04-16-2014 07:31 AM

Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?

If it is possible, shouldn't monitored event log items show up when you list monitored items?

splunk list monitor

Doesn't display event log items. Thanks

Tags (3)
0 Karma
Reply

bbiandov
Path Finder
‎03-23-2016 08:57 PM

edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:

[WinEventLog://Application]
disabled = 0 
[WinEventLog://Security]
disabled = 0 
[WinEventLog://System]
disabled = 0 
[WinEventLog://DNS Server]
disabled = 0

Then restart the windows service for the universal forwarder to re-read the changes.

0 Karma
Reply

splunker12er
Motivator
‎10-01-2014 04:27 AM 
Monitored Event Log Collections:
        localhost
                disabled:1
                hosts:localhost
                index:default
                logs:
                        Application
                        ForwardedEvents
                        HardwareEvents
                        Internet Explorer
                        Security
                        Setup
                        System

Just got the above as the result of

C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog

how to enable the log monitor ?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 10:29 AM

You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...

0 Karma
Reply

kceleslie
Engager
‎04-16-2014 10:18 AM

Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:49 AM

Give this a try for listing:

splunk list eventlog
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:47 AM

Those don't show up in splunk list monitor because a Windows event log entry looks like this:

[WinEventLog://<name>]

rather than this:

[monitor://<path>]

Hence they're not monitor type stanzas.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...