Windows event logs - remote
Windows event logs - remote
Splunk can monitor Windows event logs, both locally and remotely over WMI. Whether it's for alerting on security or reporting on or searching of various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.
Important: To collect Windows event logs remotely, your Splunk instance must be installed as a user with privileges to the machines that you want to collect the logs. Review "Considerations for deciding how to monitor remote Windows data" in this manual for additional information.
To get remote Windows event log data, point Splunk at a remote machine's Event Log service:
1. From the Home page in Splunk Web, click Add data.
2. Under the To get started... banner, click Windows event logs.
3. Click Next under Collect Windows event logs from another machine.
4. In the Event Log collection name field, type in a unique name for the event logs you will be collecting.
5. In the Choose logs from this host field, enter the hostname for a machine on your Windows network. You can specify a short hostname, the server's fully qualified domain name, or its IP address.
6. Click Find logs… to get a list of the available event log channels on the remote machine.
7. In the Available log(s) window that appears, click once on the event log channels you want Splunk to monitor.
The log channels will appear in the Selected Logs window.
8. Optionally, you can specify additional servers to collect the same set of event logs from. Type in each of the hostnames, separating them with commas.
9. Another option is to set the destination index for this source. You can do so by selecting an index from the Index drop-down box.
10. Click Save.
11. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.
For more information on getting data from Windows event logs, see "Monitor Windows event log data" in this manual.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.
Comments
Hi Administrator123,
In order to collect data from a remote machine using WMI, you must install and configure Splunk to run as a user with access to WMI. If you install Splunk as the Local System user, it will only have access to data on the machine on which it's installed.
For additional information on how to collect data from remote Windows machines with Splunk, review http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata. In the meanwhile, I'll update this topic to include a notice and links to this additional information.
when i Click Find Logs i prompt below error. How to fit it?
Error: Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host '192.168.1.29'. This host may not be reachable or WMI may be misconfigured
when i Click Find Logs i prompt below error. How to fit it?
Error: Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host '192.168.1.29'. This host may not be reachable or WMI may be misconfigured