Hi,
In our environment, many applications are logging into the Windows Application Event log.
We would like to transport it separately.
Is it possible to transport data from a Windows Event log View?
-Jens
You do not have to use Splunk's built-in WinEventLog
facility. You can use the native Windows facilities to write a subset of logs to a directory/file and the use normal Splunk directory/file monitoring to forward them in.
Yes it's possible.
Take a look at this:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata
In principle you would need something like the following in your inputs.conf file:
[WinEventLog://Application]
disabled = 0
start_from = oldest
index = yourindexname
Then simply search from your GUI with:
index=yourindexname sourcetype=WinEventLog:Application
The default sourcetype for Windows Application Logs is the one I specified above, but you can change this (not recommended as it'll have a major impact on parsing, etc).
Hello,
I do not want all Application Eventlogs. I want only logs from a VIEW.
And no, I do not want to use blacklist/whitelist.
Regards,
Jens
If your view has a unique path you can do it this way:
[WinEventLog://Path-To-Your-View]
disabled = 0
start_from = oldest
index = yourindexname
For example:
[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
If that doesn't work for you, do you have any other way to uniquely identify those logs you are planning to collect? Is there a field that is unique for those events? If that's the case, blacklists and whitelists might be the only reasonable way even if you don't want to use them.