- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Feature Request: Allow wildcards in Windows Event ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Feature Request: Allow wildcards in Windows Event Log input
Currently I know of no way (that I can find) to specify in the input to collect all event logs using wildcards in Windows. You can specify individual logs and that is fine if all you want it is the main Windows logs but if you want to collect all the Applications and Services Logs you would also have to put them all in by hand and given there can be hundreds of these logs and new ones get added all the time when new applications get installed it makes it impossible to add these all to the list manually.
Just looking for a blanket collect all option for Windows Event Logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you then associate sourcetype? As each wineventlog have specific sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi snix,
Using the TA-Windows (that you can download by splunkbase), you already have all the standard Windows inputs: there are Windows Event Logs, perfmon, processes, etc...; you have to add only logs from applications that don't log on EventLog but on filesystem.
To take these ones You have to configure your Forwarder to ingest logs from filesystem pointing to one or more specific directories and I suggest to you to manage them one by one because you need to clearly identify each log assigning an eventtype to each one.
You also could (I will not recommend!) create an input pointing to all *.log files of your filesystem, but I will not recommend this because it gives an overload for your monitored system and you cannot identify each data flow.
Every way if you want to recursively take all logs in a directory with many subdirectories you could write
[monitor://C:\users...*.log]
using the three dots you take all the sub directories; in this way you take all the logs in *.log files in every subdirectory of your directory tree.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Cusello I have played with TA-Windows in the past when I first setup spunk and found it a little much for what I needed as all I really wanted was the windows event logs and left the system monitoring to other solutions but I thank you for the suggestion.
Really all I am looking for a simple way to just use wildcards to in the universal forwarder input file to specify all logs found under the "applications and services logs" directory in event viewer so I can continue to pull in logs the same way I do now but then the forwarder could just grab all the additional application logs dynamically as new applications get added and I wont need a crystal ball and guess all the possible application logs I would need in the future and put them all in my hand.
You mention I can do this by pointing to physical log files and directories but if that somehow messes with the current formatting and they all just show up as some kind of big blob of data and not like I get now with the main windows logs then I would like to avoid that as well.
I'm currently have this capability to collect all the logs through a solution called Event Log Analyzer from ManageEngine but their solutions are not all that great so we moved away from them years ago with the exception of the Event Log Analyzer application and I currently have to run it in tandem with Splunk so we have access to all logs found in Windows event viewer but if wildcards were allowed or if I could just pick the top directory and it would recursively grab all logs under it in the event viewer then I would be able to finally be rid of them entirely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi snix,
I don't understand why you need another tool to take logs from Windows Event Viewer and what is you problem: you can continuously take all of them, eventually filtering them, in a direct way using Forwarder.
You don't need of a wildcard to take all Windows Event Logs, you need only to enable three input stanzas in TA-Windows.
To have more control, I usually prefer to not enable TA-Windows at Forwarder installation but deploy it using a Deployment Server.
Bye.
Giuseppe
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
