Monitor Windows event log data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
- Use Splunk Web to configure event log monitoring
- Configure local event log monitoring
- Configure remote event log monitoring
- Use inputs.conf to configure event log monitoring
- Event log monitoring configuration values
- Specify whether to index starting at earliest or most recent event
- Index exported event log (.evt or .evtx) files
- Known Issues
- Answers
Monitor Windows event log data
This topic discusses ways to configure Splunk to monitor Windows event logs. You can configure this via Splunk Web or via configuration files.
You can monitor two types of event log collections:
- Local
- Remote
Note: To add another log channel to monitor on localhost, edit the existing input. To monitor a remote machine, add a new input.
Use Splunk Web to configure event log monitoring
Configure local event log monitoring
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Data Inputs.
3. Click Local event log collections.
4. Click Add new to add an input.
5. Select one or more logs from the list of Available Logs and click to add to the list of Selected Logs.
Note 1: Select up to 63 logs from the list of Available Logs. Selecting more than 63 can cause Splunk to become unstable.
Note 2: Certain Windows Event Log channels (known as direct channels) do not allow for users to access - or subscribe to - them in order to monitor them. This is because events sent via these log channels are not actually processed by the Windows Event Log framework, and thus can't be forwarded or collected remotely. Attempts to monitor these log channels will generate the error: "The caller is trying to subscribe to a direct channel which is not allowed."
6. Click Save.
The input is added and enabled.
Configure remote event log monitoring
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Data Inputs.
3. Click Remote event log collections.
4. Click Add new to add an input.
5. Enter a unique name for this collection.
6. Specify a hostname or IP address for the host from which to pull logs, and click Find logs... to get a list of logs from which to choose.
Note: Windows Vista offers many channels; depending on the CPU available to Splunk, selecting all or a large number of them can result in high load.
7. Optionally, provide a comma-separated list of additional servers from which to pull data.
8. Click Save.
The input is added and enabled.
Use inputs.conf to configure event log monitoring
To edit inputs.conf:
1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local .
2. Use Explorer or the ATTRIB command to remove the file's "Read Only" flag.
3. Open the file and edit it to enable Windows event log inputs.
4. Restart Splunk.
The next section describes the specific configuration values for event log monitoring.
Event log monitoring configuration values
Windows event log (*.evt) files are in binary format. As such, they cannot be monitored like a flat file. The settings for which event logs to index are in the following stanza in inputs.conf:
# Windows platform specific input processor. [WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 [WinEventLog:System] disabled = 0
You can configure Splunk to read non-default Windows event logs as well, but you must first import them to the Windows Event Viewer first, and then add them to your local copy of inputs.conf, (usually in %SPLUNK_HOME%\etc\system\local\inputs.conf) as follows:
[WinEventLog:DNS Server] disabled = 0 [WinEventLog:Directory Service] disabled = 0 [WinEventLog:File Replication Service] disabled = 0
To disable indexing for an event log, add disabled = 1 below its listing in the stanza in %SPLUNK_HOME%\etc\system\local\inputs.conf.
If you've added some non-standard event log channels and you want to specify whether Active Directory objects like GUIDs and SIDs are resolved for a given Windows event log channel, you can turn on the evt_resolve_ad_obj setting (1=enabled, 0=disabled) for that channel's stanza in your local copy of inputs.conf. evt_resolve_ad_obj is on by default for the Security channel.
To specify the Domain Controller name and/or DNS name of the domain to bind to for Splunk to use to resolve the AD objects, use the evt_dc_name and/or evt_dns_name settings along with evt_resolve_ad_obj. This name can be the name of the domain controller or the fully-qualified DNS name of the domain controller. Either name type can,
optionally, be preceded by two backslash characters. The following examples are correctly formatted domain controller names:
- "FTW-DC-01"
- "\\FTW-DC-01"
- "FTW-DC-01.splunk.com"
- "\\FTW-DC-01.splunk.com"
Specify whether to index starting at earliest or most recent event
Use these settings to specify in which chronological order you want to index the events, from oldest->newest or newest->oldest, and whether you want to index all pre-existing events, or just new events.
start_from = oldest current_only = 1
-
start_from:By default, Splunk starts with the oldest data and indexes forward. You can set it tonewest, telling Splunk to start with the newest data and index backward. We don't recommend changing this setting, as it results in a highly inefficient indexing process. -
current_only:This option allows you to only index new events that appear from the moment Splunk was started. When set to 1, it is enabled. When set to 0, it is disabled and all events are indexed.
Index exported event log (.evt or .evtx) files
To index exported Windows event log files, use the instructions for monitoring files and directories to monitor the directory into which you place these exported files.
Known Issues
- A problem exists where events indexed from .evt and .evtx files are incorrectly routed to the 'main' index. This issue has been corrected and will be eliminated in a future release of Splunk.
Constraints
- As a result of API and log channel processing constraints on Windows XP and 2003 systems, imported .evt files will not contain the message field. This means that the message field will not appear in your Splunk index.
- Splunk running on Windows 2000/2003/XP cannot index Vista/2008/Windows 7 .evtx files.
- Splunk running on Vista/2008/Windows 7 can index both .evt and .evtx files.
- If your .evt/.evtx file is not from a standard event log channel, you must make sure that any DLL files required by that channel are present on the computer on which you are indexing.
- The language that a .evt/.evtx file will be indexed as is the primary locale/language of the Splunk computer that collects the file.
Caution: Do not attempt to monitor a .evt or .evtx file that is currently being written to; Windows will not allow read access to these files. Use the event log monitoring feature instead.
Note: When producing .evt/.evtx files on one system, and monitoring them on another, it's possible to not have all fields expanded as they would be on the producing system. This is caused by variations in DLL availability and APIs. Differences in OS version, language, patch level, installed third party DLLs, etc. can have this effect.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows event logs.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.