Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot receive WinEventLog via inputs.conf

johant
Explorer
‎11-12-2017 08:17 PM

My current setup:

  • Splunk Indexer (Deployment Server)
  • Domain Controller (Windows Server 2008) - UF installed as Deployment Client

I wanted to use Windows App Infrastructure to read the logs, so I followed this documentation https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/ConfiguretheSplunkAppforWindowsInfrastruct...

I have installed all add-ons required on both Splunk Indexer and Domain Controller. The networking and firewall rules are all fine because I can receive "Active Directory" logs in the Indexer.

However, I cannot get any WinEventLog(Security, Application, System) eventhough I have enabled the monitoring in inputs.conf (\etc\deployment-apps\Splunk_TA_windows\local\inputs.conf)
This is how my inputs.conf looks like:

OS Logs

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false

Can anyone tell me the reason why I cannot get those logs to Indexer?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-12-2017 11:46 PM

Hi johant,
there are some checks to perform on your systema to find the problem:

  • are wineventlogs enabled on your Domain Controller?
  • did you checked if Domain Controller and Indexer have the same time?
  • check using ./splunk cmd btool inputs list --debug > inputs.txt if there are other wineventlogs configurations where WinEventLog://Security is disabled

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

SumitPan
Explorer
‎03-19-2018 08:23 AM

How did you enable these logs. I'm failed to change disabled=0 for System and Applications. Even though I'm trying to perform it post stopping Splunkd but still receiving an error that file is opened somewhere.

0 Karma
Reply
Solved! Jump to solution

johant
Explorer
‎03-19-2018 02:55 PM

Hi SumitPan,

I assumed you grab the logs using Universal Forwarder? If so, you have to make sure that you choose "custom installation" otherwise UF will sent all windows logs by default and I found that we cannot change that in the inputs.conf.

Regards,
Johan Tanadi

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎11-13-2017 01:11 AM

Did you choose restart your forwarder option after deployment when configuring server class on your deployment server? If you make any change to your input stanzas, you need to restart your splunk forwarder. Choose the option to restart the forwarder and again push your bundle.

0 Karma
Reply
Solved! Jump to solution

johant
Explorer
‎11-15-2017 02:20 PM

Hi Hardik,

No i did not enabled that option, however I manually restart the UF and I stil cannot get the logs to my indexer.
Is it a best practice to automatically restart the forwarder everytime I make a deployment?

Thanks

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎11-28-2017 11:30 PM

It will depend on type of applications that you are pushing to forwarder. But to be on safer side you can keep this option selected.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-12-2017 11:46 PM

Hi johant,
there are some checks to perform on your systema to find the problem:

  • are wineventlogs enabled on your Domain Controller?
  • did you checked if Domain Controller and Indexer have the same time?
  • check using ./splunk cmd btool inputs list --debug > inputs.txt if there are other wineventlogs configurations where WinEventLog://Security is disabled

Bye.
Giuseppe

Reply
Solved! Jump to solution

johant
Explorer
‎11-15-2017 02:18 PM

Hi Giuseppe,

  • Can you tell me how to check that? I can see the event on the windows 'Event Viewer' so I assume it should be enabled?
  • Yes, both of them have the same system time.
  • I ran this command and I cannot see WinEventLog://Security ,Application, System listed on the inputs.txt. How do I make sure that those WinEventLog are listed in there?

Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 02:28 AM

sorry but maybe I was misunderstood: this command must be run on the forwarder not on indexer:

splunk cmd btool inputs list --debug > inputs.txt

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

johant
Explorer
‎11-16-2017 01:38 PM

Yes, I ran that on the forwarder and I still cannot find WinEventLog://Security.
It is all right now, I re-installed the forwarder in the windows machine and when i run those command I can see all inputs that I wanted.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 11:53 PM

Just an additional bit: at installation, Splunk Forwarder on Windows usually configures Wineventlog ingestion.
To avoid problems like the ones you have, I usually disable this ingestion and I install Splunk_TA_Windows, configured on my project needs, always using a Deployment Server.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...