All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Certain Windows event logs are not being sent to the indexer

pil321
Communicator
‎09-26-2014 11:30 AM

I have the UF installed on a couple of servers used for Citrix XenDesktop (v.7) and I'm not getting some event ID's coming to my indexer. I've installed the Template for Citrix XenDesktop app on the servers (TA-XD7-Broker) and that looks to be working for the most part, but when one of the VDI engineers asked me to set up an alert to trigger when event code 1101 was logged, I found that my indexer was not getting that log.

How do I let the Splunk indexer know that I want to get this certain log? Or, is this something I need to set up on the UF?

Running RHEL 6 on the Splunk servers, in case that is relevant.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-26-2014 12:24 PM

There are 2 TA's that need to be deployed for a XenDesktop environment. TA-XD7-Broker goes on the XenDesktop Brokers. TA-XD7-VDA goes on the desktops. If you are looking for event id 1101 in the Application event log, you won't see it because that event id is not collected by default (by either TA). Here are the defaults for the TAs:

[WinEventLog:Application]
disabled = 0
index = xd_winevents

## This line limits collection to application crashes or hangs
whitelist = 1000-1011

[WinEventLog:System]
disabled = 0
index = xd_winevents

[WinEventLog:Security]
disabled = 0
index = xd_winevents

[WinEventLog:Setup]
disabled = 0
index = xd_winevents

Notice the whitelist on the Application event log which tells the UF to only collect event ids in the specified range.

To make a change, copy the inputs.conf file to the $SPLUNK_HOME\etc\apps\TA-XD7-*\local directory (create the directory if it is not there). Then, make your changes to the inputs.conf file in order to pick up what you want.

0 Karma
Reply

pil321
Communicator
‎09-30-2014 07:09 AM

So I've commented out the "whitelist = 1000-1010" line from the server and desktop apps as I stated previously (on the local directories inputs.conf - as stated by jconger), but I still don't see any application logs other than the ones on the whitelist (1000-1010). I don't see any information logs (which is good - don't want those), but there have been other application log warning events since then that have not been logged. I restarted the indexer.

Any other ideas?

0 Karma
Reply

pil321
Communicator
‎09-30-2014 06:05 AM

Thanks for your reply jconger. I should have mentioned that I commented out the line "whitelist = 1000-1011" from the server app, but I didn't make the changes on the desktop app. Not sure why that would matter though, since this event is triggered by the server, not the desktops.

I'll make the changes on the desktop side and see if that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...