Is it possible to transport data from a Windows ev...

JensT · ‎02-22-2016

Hi,

In our environment, many applications are logging into the Windows Application Event log.
We would like to transport it separately.

Is it possible to transport data from a Windows Event log View?

-Jens

woodcock · ‎02-22-2016

You do not have to use Splunk's built-in WinEventLog facility. You can use the native Windows facilities to write a subset of logs to a directory/file and the use normal Splunk directory/file monitoring to forward them in.

javiergn · ‎02-22-2016

Yes it's possible.
Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata

In principle you would need something like the following in your inputs.conf file:

[WinEventLog://Application]
disabled = 0
start_from = oldest
index = yourindexname

Then simply search from your GUI with:

   index=yourindexname sourcetype=WinEventLog:Application

The default sourcetype for Windows Application Logs is the one I specified above, but you can change this (not recommended as it'll have a major impact on parsing, etc).

JensT · ‎02-22-2016

Hello,

I do not want all Application Eventlogs. I want only logs from a VIEW.
And no, I do not want to use blacklist/whitelist.

Regards,
Jens

javiergn · ‎02-22-2016

If your view has a unique path you can do it this way:

 [WinEventLog://Path-To-Your-View]
 disabled = 0
 start_from = oldest
 index = yourindexname

For example:

[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]

If that doesn't work for you, do you have any other way to uniquely identify those logs you are planning to collect? Is there a field that is unique for those events? If that's the case, blacklists and whitelists might be the only reasonable way even if you don't want to use them.

Is it possible to transport data from a Windows event log view?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life