Monitor Windows event log data with
Windows generates log data during the course of its operations. The Windows Event Log service handles nearly all of this communication. It gathers log data that installed applications, services, and system processes publish and places the log data into event log channels. Programs such as Microsoft Event Viewer subscribe to these log channels to display events that have occurred on the system.
You can monitor event log channels and files that are on the local machine or you can collect logs from remote machines. The event log monitor runs once for every event log input that you define.
To monitor Windows Event Log channels in Splunk Cloud Platform, use a Splunk universal or heavy forwarder to collect the data and forward it to your Splunk Cloud Platform deployment. As a best practice, use the Splunk Add-on for Windows to simplify the process of getting data into Splunk Cloud Platform. For instructions on using the Splunk Add-on for Windows to get data into Splunk Cloud Platform, see Get Windows Data Into Splunk Cloud in the Splunk Cloud Admin Manual.
Why monitor event logs?
Windows event logs are the core metric of Windows machine operations. If there is a problem with your Windows system, the Event Log service has logged it. The Splunk platform indexing, searching, and reporting capabilities make your logs accessible.
Requirements for monitoring event logs
Activity | Requirements |
---|---|
Monitor local event logs |
|
Monitor remote event logs |
|
Security and other considerations for collecting event log data from remote machines
You collect event log data from remote machines using a universal forwarder, a heavy forwarder, or WMI. As a best practice, use a universal forwarder to send event log data from remote machines to an indexer. See The universal forwarder in the Universal Forwarder manual for information about how to install, configure and use the forwarder to collect event log data. If you can't install a forwarder on the machine where you want to get data, you can use WMI.
To install forwarders on your remote machines to collect event log data, install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
To use WMI to get event log data from remote machines, you must ensure that your network and Splunk Enterprise instances are properly configured. Do not install Splunk software as the Local System user. The user you use to install the software determines the event logs that Splunk software has access to. See Security and remote access considerations for additional information on the requirements you must satisfy to collect remote data properly using WMI.
By default, Windows restricts access to some event logs depending on the version of Windows you run. For example, only members of the local Administrators or global Domain Admins groups can read the Security event logs by default.
How the Windows Event Log monitor interacts with Active Directory
When you set up an Event Log monitoring input for WMI, the input connects to an Active Directory (AD) domain controller to authenticate and, if necessary, performs any security ID (SID) translations before it begins to monitor the data.
The Event Log monitor uses the following logic to interact with AD after you set it up:
- If you specify a domain controller when you define the input with the
evt_dc_name
setting in the inputs.conf file, then the input uses that domain controller for AD operations. - If you do not specify a domain controller, then the input does the following:
- The input attempts to use the local system cache to authenticate or resolve SIDs.
- If the monitor cannot authenticate or resolve SIDs that way, it attempts a connection to the domain controller that the machine that runs the input used to log in.
- If that does not work, then the input attempts to use the closest AD domain controller that has a copy of the Global Catalog.
- If the domain controller that you specify is not valid, or a domain controller cannot be found, then the input generates an error message.
Collect event logs from a remote Windows machine
You have two choices to collect data from a remote Windows machine:
- Use a universal forwarder
- Use WMI
Use a universal or heavy forwarder
You can install a universal forwarder or a heavy forwarder on the Windows machine and instruct it to collect event logs. You can do this manually or use a deployment server to manage the forwarder configuration.
- On the Windows machine for which you want to collect Windows Event Logs, download Splunk Enterprise or the universal forwarder software.
- Run the universal forwarder installation package to begin the installation process.
- When the installer prompts you, configure a receiving indexer.
- When the installer prompts you to specify inputs, enable the event log inputs by checking the Event logs checkbox.
- Complete the installation procedure.
- On the receiving indexer, use Splunk Web to search for the event log data as in the following example:
host=<name of remote Windows machine> sourcetype=Wineventlog
For specific instructions to install the universal forwarder, see Install a Windows universal forwarder in the Forwarder Manual.
Use WMI
If you want to collect event logs remotely using WMI, you must install the universal or heavy forwarder to run as an Active Directory domain user. If the selected domain user is not a member of the Administrators or Domain Admins groups, then you must configure event log security to give the domain user access to the event logs.
To change event log security to get access to the event logs from remote machines, you must meet the following requirements:
- Have administrator access to the machine from which you are collecting event logs.
- Understand how the Security Description Definition Language (SDDL) works and how to assign permissions with it. Search the term "Security Description Definition Language" in the Microsoft Learn website for more information.
- Decide how to monitor your data. See Considerations for deciding how to monitor remote Windows data for information on collecting data from remote Windows machines.
You can use the wevtutil utility to set event log security.
- Download a Splunk Enterprise instance onto a Windows machine.
- Double-click the installer file to begin the installation.
- When the installer prompts you to specify a user, select Domain user.
- On the next installer pane, enter the domain user name and password that you want Splunk Enterprise to use when it runs.
- Follow the prompts to complete the installation of the software.
- Once the software has installed, log in to the instance.
- Use Splunk Web to add the remote event log input. See Configure remote event log monitoring later in this topic.
Anomalous machine names are visible in event logs on some systems
On some Windows systems, you might see some event logs with randomly-generated machine names. This is the result of those systems logging events before the user has named the system during the OS installation process.
This anomaly occurs only when you collect logs from versions of Windows remotely over WMI.
Configure local event log monitoring with Splunk Web
To get local Windows event log data, point your Splunk Enterprise instance at the Event Log service.
Go to the Add Data page
You can get there in two ways:
- Splunk Settings
- Splunk Home
From Splunk Settings:
- Click Settings > Data Inputs.
- Click Local event log collection.
- Click New to add an input.
From Splunk Home:
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor Event Log data on the local Windows machine, or Forward to forward Event Log data from another Windows machine.
Splunk Enterprise loads the Add Data - Select Source page. - If you selected Forward, select or create the group of forwarders you want this input to apply to. See Forward data in this manual.
- Click Next.
Select the input source
- Select Local Event Logs
- In the Select Event Logs list, select the Event Log channels you want this input to monitor.
- Click each Event Log channel you want to monitor once.
Splunk Enterprise moves the channel from the Available items window to the Selected items window. - To deselect a channel, click its name in the Available Items window.
Splunk Enterprise moves the channel from the Selected items window to the Available items window. - To select or deselect all of the event logs, click the add all or remove all links.
Selecting all of the channels can result in the indexing of a lot of data.
- Click Next.
Specify input settings
The Input Settings page lets you specify the application context, default host value, and index. All of these parameters are optional.
The Host field sets only the host field in the resulting events. It doesn't direct Splunk Enterprise to look on a specific machine on your network.
- Select the appropriate Application context for this input.
- Set the Host value. You have several choices for this setting. For more information about setting the host value, see About hosts.
- Set the Index that you want Splunk Enterprise to send data to. Leave the value as default, unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
- Click Review.
Review your choices
After you specify all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click the left angle bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then displays the "Success" page and begins indexing the specified Event Log channels.
Configure remote event log monitoring with Splunk Web
The process for configuring remote event log monitoring is nearly identical to the process for monitoring local event logs.
- Follow the instructions to get to the Add Data page. See Go to the Add Data page.
- Locate and select Remote Event Logs.
- In the Event Log collection name field, enter a unique, memorable name for this input.
- In the Choose logs from this host field, enter the host name or IP address of the machine that contains the Event Log channels you want to monitor.
Selecting all of the Event Log channels can result in the indexing of a lot of data.
- Click the Find logs button to refresh the page with a list of available Event Log channels on the machine you entered.
- Click once on each Event Log channel you want to monitor.
Splunk Enterprise moves the channel from the Available items window to the Selected items window. - To deselect a channel, click its name in the Available Items window.
Splunk Enterprise moves the channel from the Selected items window to the Available items window. - To select or deselect all of the event logs, click the add all or remove all links.
- In the Collect the same set of logs from additional hosts field, enter the host names or IP addresses of additional machines that contain the Event Logs you selected previously. Separate multiple machines with commas.
- Click the green Next button.
- Follow the instructions to specify input settings. See Specify input settings.
- Follow the instructions to review your choices. See Review your choices.
Use the inputs.conf configuration file to configure event log monitoring
On either a universal or heavy forwarder, you can edit the inputs.conf configuration file to configure Windows event log monitoring.
- Using Notepad or a similar editor, open %SPLUNK_HOME%\etc\system\local\inputs.conf for editing. You might need to create this file if it doesn't exist.
- Enable Windows event log inputs by adding input stanzas that reference Event Log channels.
- Save the file and close it.
- Restart the Splunk platform.
For more information on configuring data inputs with the inputs.conf configuration file, see Edit inputs.conf.
Specify global settings for Windows Event Log inputs
When you define Windows Event Log inputs in the inputs.conf configuration file, confirm that you specify global settings in the correct place.
If you specify global settings for Windows Event Log inputs, such as host
, sourcetype
, and so on, you can place those settings in one of the following areas:
- Under the
[WinEventLog]
global stanza. This stanza is equal to the[default]
stanza for other monitoring inputs. For example:[default] _meta = hf_proxy::meta_test [WinEventLog] _meta = hf_proxy::meta_test host = WIN2K16_DC index = wineventlog [WinEventLog://Application] disabled = 0
- Under the Windows Event Log input stanza for the Event Log channel that you want to monitor. For example:
[default] _meta = hf_proxy::meta_test [WinEventLog] host = WIN2K16_DC index = wineventlog [WinEventLog://Application] disabled = 0 _meta = hf_proxy::meta_test
You can review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default or at the spec file in the Admin Manual.
Event log monitor configuration values
Windows event log (*.evt) files are in binary format. You can't monitor them like you do a normal text file. The Splunk platform monitors these binary files by using the appropriate APIs to read and index the data within the files.
Splunk Enterprise uses the following stanzas in inputs.conf to monitor the default Windows event logs:
# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0
Monitor non-default Windows event logs
You can also configure Splunk Enterprise to monitor non-default Windows event logs. Before you can do this, you must import them to the Windows Event Viewer. After you import the logs, you can add them to your local copy of the inputs.conf file, as in the following example:
[WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0
Use the Full Name log property in Event Viewer to specify complex Event Log channel names properly
You can use the Full Name
Event Log property in Event Viewer to ensure that you specify the correct Event Log channel in an inputs.conf stanza.
For example, to monitor the Task Scheduler application log, Microsoft-Windows-TaskScheduler-Operational
, do the following steps:
- Open Event Viewer.
- Expand Applications and Services Logs > Microsoft > Windows > TaskScheduler.
- Right-click Operational and select Properties.
- In the dialog that appears, copy the text in the Full Name field.
- Append this text into the
WinEventLog://
stanza of inputs.conf as in the following example:[WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0
Disable an event log stanza
To disable indexing for an event log, add disabled = 1
after its listing in the stanza in %SPLUNK_HOME%\etc\system\local\inputs.conf.
Configuration settings for monitoring Windows Event Logs
Splunk software uses the following settings in the inputs.conf file to monitor Event Log files:
Setting | Description | Default |
---|---|---|
start_from
|
Where the Event Log input begins to read Event Log events. Acceptable values are You can't give this setting a value of |
oldest
|
current_only
|
How to index events. Acceptable values are You can't give this setting a value of |
0 |
checkpointInterval
|
How frequently, in seconds, the Windows Event Log input saves a checkpoint. Checkpoints store the eventID of acquired events to let Splunk software resume monitoring at the correct event after a shutdown or outage. |
0 |
evt_resolve_ad_ds
|
The domain controller that Splunk software uses to interact with Active Directory while it indexes Windows Event Log channels. Valid only when you configure the Valid values are |
auto
|
evt_resolve_ad_obj
|
How Splunk software interacts with Active Directory while it indexes Windows Event Log channels. Valid values are When you set this value to |
0 |
evt_dc_name
|
Which Active Directory domain controller to bind to resolve AD objects. This name can be the NetBIOS name of the domain controller, the fully-qualified DNS name of the domain controller, or an environment variable name specified as If you configure this setting, then Splunk software ignores the If you specify a Windows environment variable, you must prepend a dollar sign ( You can precede either format with two backslash characters. This setting does not have a default. |
N/A |
evt_dns_name
|
The fully-qualified DNS name of the domain to bind to resolve AD objects. | N/A |
evt_exclude_fields
|
A list of Windows Event Log fields that the Windows Event Log input is to exclude when it ingests Windows Event Log data. When you specify this setting, the input removes both the key and value data for the fields you exclude. This setting works similar to the suppress_* settings, but unlike those settings, this setting is valid for all Windows Event Log fields, and excludes fields that you might have included in an allow list. When this collision happens, the instance logs an error. See "Create advanced filters with 'whitelist' and 'blacklist'" later in this topic for the list of Windows Event Log fields that you can exclude.
|
N/A |
suppress_text
|
Whether or not to include the message text that comes with a security event. A value of 1 suppresses the message text, and a value of 0 preserves the text. | 0 |
use_old_eventlog_api
|
Whether or not to read Event Log events with the Event Logging API. This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input uses the Event Logging API instead of the Windows Event Log API to read from the Event Log on Windows Server 2008, Windows Vista, and higher installations. |
false (Use the API that is specific to the OS.)
|
use_threads
|
Specifies the number of threads, in addition to the default writer thread, that can be created to filter events with the allow list/deny list regular expression. This is an advanced setting. Contact Splunk Support before you change it. The maximum number of threads is 15. |
0 |
thread_wait_time_msec
|
The interval, in milliseconds, between attempts to re-read Event Log files when a read error occurs.
This is an advanced setting. Contact Splunk Support before you change it. |
5000 |
suppress_checkpoint
|
Whether or not the Event Log strictly follows the This is an advanced setting. Contact Splunk Support before you change it. By default, the Event Log input saves a checkpoint from between zero and |
false
|
suppress_sourcename
|
Whether or not to exclude the This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input excludes the |
false
|
suppress_keywords
|
Whether or not to exclude the This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input excludes the |
false
|
suppress_type
|
Whether or not to exclude the This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input excludes the |
false
|
suppress_task
|
Whether or not to exclude the This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input excludes the |
false
|
suppress_opcode
|
Whether or not to exclude the This is an advanced setting. Contact Splunk Support before you change it. A value of "true" means the input excludes the |
false
|
wec_event_format
|
The content format of the events that the Splunk platform expects to receive from a Windows Event Collector (WEC) subscription before it sends the data to its destination log. The setting has two values:
Configure this setting to match the content format of the WEC subscription destination log. |
The default can vary.
|
whitelist
|
Index events that match the specified text string. This setting is optional. You can specify one of two formats:
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza. Allow lists are processed first, then deny lists. If no allow list is present, the Splunk platform indexes all events. If a file matches the regexes in both the deny list and allow list settings, the Splunk platform does not index the event. Deny lists take precedence over allow lists. When you use the Event Code/ID format:
When using the advanced filtering format:
|
N/A |
blacklist
|
Do not index events that match the specified text string. This setting is optional. You can specify one of two formats:
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza. Allow lists are processed first, then deny lists. If no deny list is present, the Splunk platform indexes all events. When using the Event Log code/ID format:
When using the advanced filtering format:
| |
renderXml
|
Render event data as extensible markup language (XML) supplied by the Windows Event Log subsystem. This setting is optional.
A value of If you give |
0 (false) |
index
|
The index that this input is to send the data to. | the default index |
disabled
|
Whether or not the input is to run. Valid values are |
0 |
Use the Security event log to monitor changes to files
You can monitor changes to files on your system by enabling security auditing on a set of files or directories and then monitoring the Security event log channel for change events. The event log monitoring input includes three attributes which you can use in inputs.conf. For example:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
To enable security auditing for a set of files or directories, search the Microsoft documentation for "configure security auditing".
You can also use the suppress_text
setting to include or exclude the message text that comes with a security event.
When you set suppress_text
to 1 in a Windows Event Log Security stanza, the entire message text does not get indexed, including any contextual information about the security event. If you need this contextual information, do not set suppress_text
in the stanza.
See the following example to include or exclude message text:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
To use a specific domain controller, set the evt_dc_name
attribute:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
To use the primary domain controller to resolve AD objects, give the evt_resolve_ad_ds
setting a value of PDC
. Otherwise, it locates the nearest domain controller.
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_resolve_ad_ds = PDC checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000
Create advanced filters with the 'whitelist' and 'blacklist' settings
You can perform advanced filtering of incoming events with the whitelist
and blacklist
settings in addition to filtering based solely on event codes. To do this, specify the key/regular expression format in the setting:
whitelist = key=<regular expression> [key=<regular expression>] ...
In this format, key
must be a valid entry from the following table:
Key | Description |
---|---|
$TimeGenerated | The time that the computer generated the event. Splunk Enterprise only generates the time string as the event. |
$Timestamp | The time that the event was received and recorded by the Event Log service. Splunk Enterprise only generates the time string as the event. |
$XmlRegex | A special key that configures Splunk Enterprise to match incoming events in XML format. See Filter data in XML format with the xmlRegex key later in this topic for help on using this key. |
Category | The category number for a specific event source. |
CategoryString | A string translation of the category. The translation depends on the event source. |
ComputerName | The name of the computer that generated the event. |
EventCode | The event ID number for an event. Corresponds to Event ID in Event Viewer. |
EventType | A numeric value that represents one of the five types of events that can be logged: Error, Warning, Information, Success Audit, and Failure Audit. Available only on machines that run Windows Server 2003 and lower or clients running Windows XP and lower. See Win32_NTLogEvent class (Windows) on MSDN at http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx. |
Keywords | An element used to classify different types of events within an event log channel. The Security Event Log channel has this element, for example. |
LogName | The name of the Event Log channel that received the event. Corresponds to Log Name in Event Viewer. |
Message | The text of the message in the event. |
OpCode | The severity level of the event. Corresponds to OpCode in Event Viewer. |
RecordNumber | The Windows Event Log record number. Each event on a Windows machine gets a record number. This number starts at 0 with the first event generated on the system, and increases with each new event generated, until it reaches a maximum of 4294967295. It then rolls back over to 0. |
Sid | The Security Identifier (SID) of the principal, such as a user, group, computer, or other entity, that was associated with or generated the event. See Win32_UserAccount class on MSDN at http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx. |
SidType | A numeric value that represents the type of SID that was associated with the event. See Win32_UserAccount class on MSDN at http://msdn.microsoft.com/en-us/library/windows/desktop/aa394507%28v=vs.85%29.aspx. |
SourceName | The source of the entity that generated the event. Corresponds to Source in Event Viewer. |
TaskCategory | The task category of the event. Event sources let you define categories so that you can filter them with Event Viewer using the Task Category field. See Event Categories (Windows) on MSDN at http://msdn.microsoft.com/en-us/library/aa363649%28VS.85%29.aspx.
|
Type | A numeric value that represents one of the five types of events that can be logged: Error, Warning, Information, Success Audit, and Failure Audit. Only available on machines that run Windows Server 2008 or higher, or Windows Vista or higher. See Win32_NTLogEvent class (Windows) on MSDN at http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx. |
User | The user associated with the event. Correlates to User in Event Viewer. |
<regular expression>
is any valid regular expression that represents the filters that you want to include, when you use the filter with the whitelist
setting, or exclude, when you use the filter with the blacklist
setting.
You can specify more than one key/regular expression set on a single entry line. When you do this, Splunk Enterprise logically joins the sets. This means that only events that satisfy all of the sets on the line are valid for inclusion or exclusion. See the following examples:
whitelist = EventCode="^1([0-5])$" Message="^Error"
means to include events that have an EventCode
ranging from 10 to 15 and contain a Message
that begins with the word Error
.
You can specify up to 10 separate allow list or deny list entries in each stanza. To do so, add a number at the end of the whitelist
or blacklist
entry on a separate line:
whitelist = key=<regular expression> whitelist1 = key=<regular expression> key2=<regular expression 2> whitelist2 = key=<regular expression>
You cannot specify an entry that has more than one key/regular expression set that references the same key. If, for example, you specify:
whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"
Splunk Enterprise ignores the first set and only attempts to include events that match the second set. In this case, only events that contain an EventCode
between 20 and 25 match. Events that contain an EventCode
between 10 and 15 do not match. Only the last set in the entry ever matches. To resolve this problem, specify two separate entries in the stanza:
whitelist = EventCode="^1([0-5])$"
whitelist1 = EventCode="^2([0-5])$"
Filter data in XML format with the xmlRegex key
The $xmlRegex
special key lets you use an allow or deny list to filter Windows Event Log events that are in XML format. You must specify this key to filter events when you configure the Windows Event Log input to render events in XML format, otherwise the filtering won't work.
To use this key to filter XML-formatted events, do the following:
- Configure the Windows Event Log input to render events in XML by setting
renderXml
totrue
in the Windows Event Log input stanza. - In the allow list or deny list filter, as you define using either the
whitelist[x]
orblacklist[x]
settings, supply an$xmlRegex
key with a regular expression value (regex) on which you want the Splunk platform to filter events.
The key and the regular expression value comprise an entry in the allow or deny list. Because the key requires that you first render Windows Event Log events in XML format, you must use regexes as the values for the $XmlRegex
key to filter the XML. Because regexes can contain quotes, slashes, and other characters, you must surround regexes with characters that demarcate the regex from the rest of the elements in the allow or deny list entry. These demarcation characters can be any character except a space, but cannot be part of the regex itself. For example:
$XmlRegex=+Error*+
Here, the demarcation character is the plus sign (+
). It separates the regex Error*
from the $XmlRegex
key.
You can specify multiple $XmlRegex
entries in a single allow or deny list. To do this, add another $XmlRegex=<regex>
entry to the allow or deny list line.
When it processes allow or deny lists, the Splunk platform logically joins entries within the allow or deny list. This means that each of the $xmlRegex
entries within the allow or deny list must evaluate as true for the allow or deny list as a whole to evaluate as true. Other entries in the same allow or deny list can cause the list to evaluate as false and not filter the events as you want.
Examples for using $xmlRegex
Following are examples of how to use the $xmlRegex
special key:
blacklist = EventCode=+*44+ $xmlRegex=$Error*$ $xmlRegex=+*something*+
means to exclude events whose event codes end in 44, and contain the words "Error" and "something" somewhere in the XML formatted message.
blacklist = $xmlRegex = <EventID>(4672|4685|4688|4719)<\/EventID>
means to exclude events whose event codes are one of 4672, 4685, 4688, or 4719.
blacklist = $xmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"
means to exclude events with an event code of 4688, or "new process created" when the new process name for that event matches most Splunk platform executable files on Windows, up to the first four hard disks on a Windows machine (C through F drives).
Suppress fields from Windows Event Log events
There are two options to limit the ingestion of data by removing Windows Event Log fields from events that a Splunk Platform instance ingests:
- Use the
suppress_*
settings in inputs.conf to remove certain Windows Event Log fields from ingested events. - Use the
evt_exclude_fields
setting, which lets you remove any Windows Event Log field from a Windows Event Log event. This setting removes both the excluded key and value from the event, and excludes events even if the field exists in an allow list.
You define both of these settings in the inputs.conf configuration file, under a Windows Event Log monitoring input, for example:
suppress_*
example (suppresses the message text)
[WinEventLog://System] disabled=0 suppress_text=1
evt_exclude_fields
example
[WinEventLog://System] disabled=0 evt_exclude_fields=EventCode,RecordNumber
See the list of fields in "Create advanced filters with 'whitelist' and 'blacklist'" earlier in this topic. See "Configuration settings for monitoring Windows Event Logs", also earlier in this topic, for more information about the settings.
Resolve Active Directory objects in event log files
To specify whether Active Directory objects like globally unique identifiers (GUIDs) and security identifiers (SIDs) are resolved for a given Windows event log channel, use the evt_resolve_ad_obj
attribute (1=enabled, 0=disabled) for that channel's stanza in your local copy of inputs.conf. The evt_resolve_ad_obj
attribute is on by default for the Security channel.
For example:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5
To specify a domain controller for the domain that the Splunk platform instance is to bind to in order to resolve AD objects, use the evt_dc_name
attribute.
The string specified in the evt_dc_name
attribute can represent either the domain controller NetBIOS name, or its fully-qualified domain name (FQDN). Either name type can, optionally, be preceded by two backslash characters.
The following examples are correctly formatted domain controller names:
FTW-DC-01
\\FTW-DC-01
FTW-DC-01.splunk.com
\\FTW-DC-01.splunk.com
To specify the FQDN of the domain to bind to, use the evt_dns_name
attribute.
For example:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = ftw-dc-01.splunk.com evt_dns_name = splunk.com checkpointInterval = 5
When you use the evt_resolve_ad_obj
and evt_dc_name
attributes, the following constraints apply:
- Splunk software first attempts to resolve SIDs and GUIDs using the domain controller (DC) specified in the
evt_dc_name
attribute first. If it cannot resolve SIDs using this DC, it attempts to bind to the default DC to perform the translation. - If Splunk software cannot contact a DC to translate SIDs, it attempts to use the local machine for translation.
- If none of these methods works, then Splunk prints the SID as it was captured in the event.
- Splunk software cannot translate SIDs that are not in the format
S-1-N-NN-NNNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN
.
If you discover that SIDs are not being translated properly, review %SPLUNK_HOME%\var\log\splunkd.log
for clues about what the problem might be.
Specify whether to start index at the earliest or the most recent event
Use the start_from
attribute to specify whether events are indexed starting at the earliest event or the most recent. By default, indexing starts with the oldest data and moves forward. Do not change this setting, because Splunk software stops indexing after it has indexed the backlog using this method.
Use the current_only
attribute to specify whether to index all preexisting events in a given log channel. When set to 1, only events that appear from the moment the Splunk deployment was started are indexed. When set to 0, all events are indexed.
For example:
[WinEventLog://Application] disabled = 0 start_from = oldest current_only = 1
Display Windows Event Log events in XML
To have Splunk Enterprise generate Windows Event Log events in XML, use the renderXml
setting in a Windows Event Log input stanza:
[WinEventLog://System] disabled = 0 renderXml = 1 evt_resolve_ad_obj = 1 evt_dns_name = \"SV5DC02\"
This input stanza generates events like the following:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/> <EventID Qualifiers='16384'>7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/> <EventRecordID>412598</EventRecordID> <Correlation/> <Execution ProcessID='192' ThreadID='210980'/> <Channel>System</Channel> <Computer>SplunkDoc.splunk-docs.local</Computer> <Security/> </System> <EventData> <Data Name='param1'>Application Experience</Data> <Data Name='param2'>stopped</Data> <Binary>410065004C006F006F006B00750070005300760063002F0031000000</Binary> </EventData> </Event>
When you instruct Splunk Enterprise to render events in XML, event keys within the XML event render in English regardless of the machine system locale. Compare the following events generated on a French version of Windows Server.
Standard event:
04/29/2014 02:50:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=sacreblue TaskCategory=Ouverture de session spéciale OpCode=Informations RecordNumber=2746 Keywords=Succès de l'audit Message=Privilèges spéciaux attribués à la nouvelle ouverture de session. Sujet : ID de sécurité : AUTORITE NT\Système Nom du compte : Système Domaine du compte : AUTORITE NT ID d'ouverture de session : 0x3e7 Privilèges : SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
XML event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/> <EventID>4672</EventID> <Version>0</Version> <Level>0</Level> <Task>12548</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2014-04-29T22:15:03.280843700Z'/> <EventRecordID>2756</EventRecordID> <Correlation/><Execution ProcessID='540' ThreadID='372'/> <Channel>Security</Channel> <Computer>sacreblue</Computer> <Security/> </System> <EventData> <Data Name='SubjectUserSid'>AUTORITE NT\Système</Data> <Data Name='SubjectUserName'>Système</Data> <Data Name='SubjectDomainName'>AUTORITE NT</Data> <Data Name='SubjectLogonId'>0x3e7</Data> <Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege</Data> </EventData> </Event>
The Data Name
keys in the XML event render in English despite rendering in the system's native language in the standard event.
Use allow lists and deny lists to filter on XML-based events
If you render events in XML, and you want to use allow lists and deny lists to filter on those events, you must use the special key $XmlRegex
when you build your allow lists or deny lists.
The allow list or deny list triggers when Splunk Enterprise finds the value that you specify with $XmlRegex
anywhere in the XML-rendered event. $XmlRegex
doesn't work if you don't explicitly specify the input to render events in XML with the renderXml = true
setting.
The $XmlRegex
setting doesn't search for key-value pairs. It configures Splunk Enterprise to expect incoming events in XML format.
The following example configures the whitelist
setting to allow XML events. Splunk Enterprise indexes all XML events that contain the word "Error":
[WinEventLog://System] disabled = 0 renderXml = 1 evt_resolve_ad_obj = 1 evt_dns_name = \"SV5DC02\" whitelist = $XmlRegex='Error'
See the Create advanced filters with whitelist and blacklist section earlier in this topic for additional information and syntax.
Use the CLI to configure event log monitoring
You can use the CLI to configure local event log monitoring. Before you use the CLI, create stanza entries in inputs.conf first. See Use inputs.conf to configure event log monitoring in this topic.
The CLI is not available for remote Event Log collections.
To list all configured Event Log channels on the local machine, enter the following:
> splunk list eventlog
You can also list a specific channel by specifying its name as in the following example:
> splunk list eventlog <ChannelName>
To enable an Event Log channel, enter the following:
> splunk enable eventlog <ChannelName>
To disable a channel, enter the following:
> splunk disable eventlog <ChannelName>
Index exported event log files
To index exported Windows event log (.evt or .evtx) files, monitor the directory that contains the exported files. See Monitor files and directories.
Do not attempt to monitor an .evt or .evtx file that is open for writing. Windows does not allow read access to these files. Use the event log monitoring feature instead.
Constraints for monitoring Windows Event log files directly
Directly monitoring Windows Event log files have the following constraints:
- As a result of API and log channel processing constraints on Windows XP and Server 2003 systems, imported .evt files from those systems do not contain the
Message
field. This means that the contents of theMessage
field do not appear in your index. - Splunk Enterprise on Windows XP and Windows Server 2003/2003 R2 cannot index .evtx files that come from systems running Windows Vista and higher or Windows Server 2008/2008 R2 and higher.
- Splunk Enterprise on Windows Vista and higher and Server 2008/2008 R2 and higher can index both .evt and .evtx files.
- If your .evt or .evtx file is not from a standard event log channel, you must make sure that any dynamic link library (DLL) files required by that channel are present on the computer on which you are indexing.
- Splunk Enterprise indexes an .evt or .evtx file in the primary locale and language of the computer that collects the file.
- Files that you export from another machine do not work with the Splunk Web Upload feature. This is because those files contain information that is specific to the machine that generated them. Other machines cannot process the files in their unaltered form.
When producing .evt or .evtx files on one system, and monitoring them on another, it's possible that not all of the fields in each event expand as they would on the system producing the events. This is caused by variations in DLL versions, availability, and APIs. Differences in OS version, language, Service Pack level, and installed third-party DLLs can also have this effect.
Monitor Active Directory | Monitor file system changes on Windows |
This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!