Getting Data In

Find out the type of logs which are captured when it is using a script \bin\scripts\splunk-wmi.path ?

knam
Explorer

I installed SplunkForwarder and during the installation wizard, I checked all the logs for Windows (Application, Security, etc.) but in the inputs.conf, all I see is

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]

How can I find out exactly which logs are being captured when it is using a script?

Some of my old inputs.conf uses the WinEventLog which specifically says Application, Security, System, etc. The splunk-wmi.path just points to a splunk-wmi.exe. How does splunk-wmi.exe know which logs to push? Is there another conf file splunk-wmi.exe looks at?

0 Karma
1 Solution

knam
Explorer

UPDATE with correct answer

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] script stanza in \etc\system\local\ DOES NOT capture all WinEventLogs if you did not select all the WinEvent Types during the SplunkUniversalForwarder installation wizard.

If you only selected Application event log for example and you want to include System and Security logs to be indexed, update the inputs.conf under \etc\apps\Splunk_TA_windows\local. Just add disabled=0 under the WinEventLog stanzas like below.

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

BELOW IS WRONG

Spoke with Splunk On-prem Support and confirmed that Splunk Universal Forwarders with the

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]

stanza in the \etc\system\local\inputs.conf will by default push all Windows Event Logs. If you want to limit the Win Event Logs to be indexed, you will have to blacklist the specific logs.

https://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Whitelistorblacklistspecificincomingdata

http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata

https://www.splunk.com/blog/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log.h...

https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

View solution in original post

0 Karma

knam
Explorer

UPDATE with correct answer

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] script stanza in \etc\system\local\ DOES NOT capture all WinEventLogs if you did not select all the WinEvent Types during the SplunkUniversalForwarder installation wizard.

If you only selected Application event log for example and you want to include System and Security logs to be indexed, update the inputs.conf under \etc\apps\Splunk_TA_windows\local. Just add disabled=0 under the WinEventLog stanzas like below.

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

BELOW IS WRONG

Spoke with Splunk On-prem Support and confirmed that Splunk Universal Forwarders with the

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]

stanza in the \etc\system\local\inputs.conf will by default push all Windows Event Logs. If you want to limit the Win Event Logs to be indexed, you will have to blacklist the specific logs.

https://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Whitelistorblacklistspecificincomingdata

http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata

https://www.splunk.com/blog/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log.h...

https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...