How to get Windows logs into my Splunk instance on...

themedina · ‎07-30-2014

Hello,

My organization is looking into using Splunk as a central log server. I have successfully installed Splunk on a Ubuntu 12.04 LTS box. I'm having a hard time finding documentation explaining how to get event logs, IIS logs, etc. to be view-able in the Splunk web interface. I found a ton of information on the universal forwarders; however, after installing the forwarder on one of our Windows boxes, I'm not really sure where to proceed. I have Splunk listening on 9997 for forwarders and in theory everything should be working (to my knowledge). I may have a misunderstanding of how something is supposed to be working; however, I'm not really sure where to look. I've spent a lot of time looking at a bunch of documentation...I also can't seem to find a youtube video or something that walks through the process on both the host with forwarder installed and the Splunk server itself. Please help 😞

Thank you,

Christopher L. Medina

somesoni2 · ‎07-30-2014

This should give you some details about configuring Windows Event data consumption ( see section "Collect event logs from a remote Windows machine" onwards)

http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Monitorwindowsdata

This should help for IIS data.

http://answers.splunk.com/answers/110846/help-configuring-universal-forwarder-with-iis-logs

General information on how to use forwarders available here.

http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Usingforwardingagents

How to get Windows logs into my Splunk instance on Ubuntu?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...