Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarder add Windows Event log command line

kceleslie
Engager
‎04-16-2014 07:31 AM

Is it possible to add to the splunk forwarder via the command line items from Windows Event viewer? I know we can update inputs.conf but is it possible via the command line?

If it is possible, shouldn't monitored event log items show up when you list monitored items?

splunk list monitor

Doesn't display event log items. Thanks

Tags (3)
0 Karma
Reply

bbiandov
Path Finder
‎03-23-2016 08:57 PM

edit C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf and add:

[WinEventLog://Application]
disabled = 0 
[WinEventLog://Security]
disabled = 0 
[WinEventLog://System]
disabled = 0 
[WinEventLog://DNS Server]
disabled = 0

Then restart the windows service for the universal forwarder to re-read the changes.

0 Karma
Reply

splunker12er
Motivator
‎10-01-2014 04:27 AM 
Monitored Event Log Collections:
        localhost
                disabled:1
                hosts:localhost
                index:default
                logs:
                        Application
                        ForwardedEvents
                        HardwareEvents
                        Internet Explorer
                        Security
                        Setup
                        System

Just got the above as the result of

C:\Program Files\SplunkUniversalForwarder\bin>splunk list eventlog

how to enable the log monitor ?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 10:29 AM

You should be able to make a REST call against yourself from the CLI using this endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#POST_data.2Finputs.2Fwin-event-...

0 Karma
Reply

kceleslie
Engager
‎04-16-2014 10:18 AM

Thanks!
Just found this, looks like it is not possible with the CLI
http://answers.splunk.com/answers/9389/configuring-a-light-forwarder-to-monitor-the-windows-event-lo...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:49 AM

Give this a try for listing:

splunk list eventlog
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 09:47 AM

Those don't show up in splunk list monitor because a Windows event log entry looks like this:

[WinEventLog://<name>]

rather than this:

[monitor://<path>]

Hence they're not monitor type stanzas.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...