Will someone tell me the command Splunk is using t...

danman06 · ‎09-19-2018

Can someone tell me the command Splunk is using to read the Windows security event log. I have one server that will send to _internal, but not send to the specified index of my input. It really seems like it can't read the event log. But I'm unsure. Are there some debug settings I can turn on? I came across this link and plan to try that tomorrow.

https://answers.splunk.com/answers/239644/how-to-troubleshoot-why-splunk-stopped-indexing-wm.html?ut...

gcusello · ‎09-19-2018

Hi danman06,
if you're receiving _internal logs you've correctly configured outputs.conf.
To take Windows, I suggest to use the Splunk_TA_Windows so that you can download from Splunkbase ( https://splunkbase.splunk.com/app/742/ ).
You have to:

copy this TA on your Universal Forwarder in $SPLUNK_HOME\splunkuniversalforwarder\etc\apps;
then copy the default\inputs.conf file in local\inputs.conf;
modify the local\inputs.conf file enabling WinEventLog:Security stanza changing disabled=1 in disabled=0;
restart Splunk on Forwarder.

At http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows , you can find the documentation to install and configure Splunk_TA_Windows.

In this way you're sure to correctly configure your Windows inputs and you're ready for the next step: deploy this TA in other Forwarder using the Deployment Server, but this is another thing.

Bye.
Giuseppe

Will someone tell me the command Splunk is using to read Windows security event logs?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes