- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can't get events from Exchange Auditing log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't get events from Exchange Auditing log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you modify your inputs.conf to have a stanza pertaining to the "Exchange Auditing"?
Like such:
[WinEventLog:Exchange Auditing]
disabled = 0
Check out this link,it should clear things up.
http://www.splunk.com/base/Documentation/latest/Data/MonitorWindowsdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, splunk runs as a domain user. I'll try the server setting then.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other thing to make note of with remote collection. You will need to have Spunk services running as a domain\user with permissions on the remote box in order to collect successfully .
http://www.splunk.com/base/Documentation/latest/Data/MonitorWMIdata#Security_and_remote_access_consi...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, then you will need to add the server setting to the stanza.
server =
A comma-separated list of servers from which to get data.
If not present, defaults to the local machine.
Have a look at the wmi.conf spec:
http://www.splunk.com/base/Documentation/4.2.1/admin/Wmiconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but this way it tries to collect "Exchange Auditing" log from the localhost. From the remote server I still do not get anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more thing to mention - I'm using "Remote event log collections" for adding this log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could the problem be that Exchange Auditing log is beeing kept not in system32\config directory but under Program Files and its not an *.evt file but *.evtx file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately splunkd.log doesn't have any references to that particular log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you elaborate on what occurs when you attempt to get Splunk to eat the log? Are you seeing anything in splunkd.log related to this particular file/input?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
