This topic discusses ways to configure Splunk to monitor Windows Event logs. You can configure this via Splunk Web or via configuration files.
Note: To add another log channel to monitor on localhost, edit the existing input. To monitor a remote machine, add a new input.
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Data Inputs.
3. Click Event Log collections.
4. Click New to add an input.
5. Enter a unique name for this collection.
6. Specify a hostname or IP address for the host from which to pull logs, and click Find logs... to get a list of logs from which to choose.
Caution: Windows Vista offers many channels; depending on the CPU available to Splunk, selecting all or a large number of them can result in high load.
7. Optionally, provide a comma-separated list of additional servers from which to pull data.
8. Click Save.
The input is added and enabled.
1. Copy inputs.conf from $SPLUNK_HOME\etc\system\default to etc\system\local .
2. Un-mark it "Read Only".
3. Open and enable the Windows Event Log inputs using the specifics below.
4. Restart Splunk.
Windows event logs are from binary format *.evt files and cannot be monitored like a flat file. The settings for which event logs to index are in the following stanza in inputs.conf:
# Windows platform specific input processor. [WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 [WinEventLog:System] disabled = 0
You can configure Splunk to read non-default Windows event logs as well, but you must import them to the Windows Event Viewer first, and then add them to your local copy of inputs.conf, (usually in $SPLUNK_HOME\etc\system\local\inputs.conf) as follows:
[WinEventLog:DNS Server] disabled = 0 [WinEventLog:Directory Service] disabled = 0 [WinEventLog:File Replication Service] disabled = 0
To disable indexing for an event log, add disabled = 1 below its listing in the stanza in $SPLUNK_HOME\etc\system\local\inputs.conf.
evt_resolve_ad_obj = <integer> 1|0 This setting enables or disables resolving Active Directory objects like GUID/SID objects for a specific Windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to (using the evt_dc_name or evt_dns_name settings) which then Splunk will use to resolve the AD objects. Setting this to 0 disables GUID/SID resolution.
evt_dc_name = <string> Optional, this parameter can be left empty. This setting lets you specify a particular Domain Controller Name to bind to. This name can be the name of the domain controller or the fully-qualified DNS name of the domain controller. Either name type can, optionally, be preceded by two backslash characters. All of the following examples represent correctly formatted domain controller names:
evt_dns_name = <string> Optional, this parameter can be left empty. Fully-qualified DNS name of the domain to bind to
Use these settings to specify which in chronological order you want to index the events, from oldest->newest or newest->oldest, and whether you want to index all pre-existing events, or just new events.
start_from = oldest current_only = 1
To index exported Windows Event Log files, use the instructions for monitoring files and directories.
Caveats
Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. The workaround for this is to use a Splunk forwarder on the originating machine. Splunk cannot be modified to simply "work" in this situation. The problem originates from the lack of information provided by the Windows OS.