- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I see the wineventlog index growing after universa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the wineventlog index growing after universal forwarder installation on Windows, but why are there no Windows events in the Search app Data Summary?
Greetings all! I haven't worked with Splunk in about a year so I'm a little rusty.
Anyhow, I have Linux systems logging to Splunk no issue. However, I seem to be running into problem with Windows logs.
I installed a Universal Forwarder on a few systems. I adjusted the inputs.conf under the system/local folder with the below stanza. When I went into search and reporting > data summary, I was not seeing entries there for logs coming from these systems. However, I checked the wineventlog index and it was rapidly growing. Then, I thought maybe it was an index issue, so I created a new index and updated the stanza to point to that instead. Same issue - didn't see timestamp updates under Data Summary but the index was growing. Verified I couldn't search for the logs either.
Ideas? Thanks much in advance!
###### OS Logs ######
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
index = wineventlog
[WinEventLog://Security]
disabled = false
start_from = oldest
current_only = 0
suppress_text = 1
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = 5140,5156-5157,4674
index = wineventlog
[WinEventLog://System]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
index = wineventlog
[WinEventLog://Windows PowerShell]
checkpointInterval = 5
current_only = 0
disabled = false
start_from = oldest
index = wineventlog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what you are saying above, searches work fine against default indexes but not against others, so have you tried specifying the index name you are searching against as part of your query?
For instance:
index=wineventlog sourcetype=WinEventLog:* ...
By default Splunk will only search against your default indexes if you don't specify "index=". You can change this in your user profile by the way.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Make this search on the receiver index=_internal and verify the number of hosts that you have, to know if data are comming from the forwarder.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The events for the affected hosts only populate/rise if I send the logs to the Default index. If I send them to wineventlogs or a custom one, they do not rise and are not searchable despite the Indexes themselves showing increasing events.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
