Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Monitor Windows Event Log data

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Monitor Windows Event Log data

This topic discusses ways to configure Splunk to monitor Windows Event logs. You can configure this via Splunk Web or via configuration files.

Note: To add another log channel to monitor on localhost, edit the existing input. To monitor a remote machine, add a new input.

Configure Windows Event Log monitoring with Splunk Web

1. Click Manager in the upper right-hand corner of Splunk Web.

2. Under System configurations, click Data Inputs.

3. Click Event Log collections.

4. Click New to add an input.

5. Enter a unique name for this collection.

6. Specify a hostname or IP address for the host from which to pull logs, and click Find logs... to get a list of logs from which to choose.

Note: Windows Vista offers many channels; depending on the CPU available to Splunk, selecting all or a large number of them can result in high load.

7. Optionally, provide a comma-separated list of additional servers from which to pull data.

8. Click Save.

The input is added and enabled.

Configure Windows Event log monitoring using configuration files

1. Copy inputs.conf from $SPLUNK_HOME\etc\system\default to etc\system\local .

2. Un-mark it "Read Only".

3. Open and enable the Windows Event Log inputs using the specifics below.

4. Restart Splunk.

Windows Event Log monitoring inputs.conf specifics

Windows event logs are from binary format *.evt files and cannot be monitored like a flat file. The settings for which event logs to index are in the following stanza in inputs.conf: 

# Windows platform specific input processor.
[WinEventLog:Application]
disabled = 0 
[WinEventLog:Security]
disabled = 0 
[WinEventLog:System]
disabled = 0

You can configure Splunk to read non-default Windows event logs as well, but you must import them to the Windows Event Viewer first, and then add them to your local copy of inputs.conf, (usually in $SPLUNK_HOME\etc\system\local\inputs.conf) as follows: 

[WinEventLog:DNS Server]
disabled = 0
[WinEventLog:Directory Service]
disabled = 0
[WinEventLog:File Replication Service]
disabled = 0

To disable indexing for an event log, add disabled = 1 below its listing in the stanza in $SPLUNK_HOME\etc\system\local\inputs.conf.

Index exported Windows Event Log (.evt or .evtx) files

To index exported Windows Event Log files, use the instructions for monitoring files and directories.

Caveats

  • Do not use the Upload a local file feature; this feature does not currently work with this filetype.
  • The file must be accessible as local to your Splunk installation.
  • Do not attempt to monitor a .evt or .evtx file that is currently being written to; Windows will not release the lock on the file; best practice is to point the monitor at the directory into which your files are being placed so that new files are indexed automatically.
Retrieved from "http://www.splunk.com/base/Documentation/4.0.4/Admin/MonitorWindowsdata"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.