Monitor Windows Event Log data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Monitor Windows Event Log data
This topic discusses ways to configure Splunk to monitor Windows Event logs. You can configure this via Splunk Web or via configuration files.
Note: To add another log channel to monitor on localhost, edit the existing input. To monitor a remote machine, add a new input.
Configure Windows Event Log monitoring with Splunk Web
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Data Inputs.
3. Click Event Log collections.
4. Click New to add an input.
5. Enter a unique name for this collection.
6. Specify a hostname or IP address for the host from which to pull logs, and click Find logs... to get a list of logs from which to choose.
Note: Windows Vista offers many channels; depending on the CPU available to Splunk, selecting all or a large number of them can result in high load.
7. Optionally, provide a comma-separated list of additional servers from which to pull data.
8. Click Save.
The input is added and enabled.
Configure Windows Event log monitoring using configuration files
1. Copy inputs.conf from $SPLUNK_HOME\etc\system\default to etc\system\local .
2. Un-mark it "Read Only".
3. Open and enable the Windows Event Log inputs using the specifics below.
4. Restart Splunk.
Windows Event Log monitoring inputs.conf specifics
Windows event logs are from binary format *.evt files and cannot be monitored like a flat file. The settings for which event logs to index are in the following stanza in inputs.conf:
# Windows platform specific input processor. [WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 [WinEventLog:System] disabled = 0
You can configure Splunk to read non-default Windows event logs as well, but you must import them to the Windows Event Viewer first, and then add them to your local copy of inputs.conf, (usually in $SPLUNK_HOME\etc\system\local\inputs.conf) as follows:
[WinEventLog:DNS Server] disabled = 0 [WinEventLog:Directory Service] disabled = 0 [WinEventLog:File Replication Service] disabled = 0
To disable indexing for an event log, add disabled = 1 below its listing in the stanza in $SPLUNK_HOME\etc\system\local\inputs.conf.
Index exported Windows Event Log (.evt or .evtx) files
To index exported Windows Event Log files, use the instructions for monitoring files and directories.
Caveats
- Do not use the Upload a local file feature; this feature does not currently work with this filetype.
- The file must be accessible as local to your Splunk installation.
- Do not attempt to monitor a .evt or .evtx file that is currently being written to; Windows will not release the lock on the file; best practice is to point the monitor at the directory into which your files are being placed so that new files are indexed automatically.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 View the Article History for its revisions.