Windows event logs - remote
Splunk can monitor Windows event logs, both locally and remotely over WMI. Whether it's for alerting on security or reporting on or searching of various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.
Important: To collect Windows event logs remotely, your Splunk instance must be installed as a user with privileges to the machines that you want to collect the logs. Review "Considerations for deciding how to monitor remote Windows data" in this manual for additional information.
To get remote Windows event log data, point Splunk at a remote machine's Event Log service:
1. From the Home page in Splunk Web, click Add data.
2. Under the To get started... banner, click Windows event logs.
3. Click Next under Collect Windows event logs from another machine.
4. In the Event Log collection name field, type in a unique name for the event logs you will be collecting.
5. In the Choose logs from this host field, enter the hostname for a machine on your Windows network. You can specify a short hostname, the server's fully qualified domain name, or its IP address.
6. Click Find logs… to get a list of the available event log channels on the remote machine.
7. In the Available log(s) window that appears, click once on the event log channels you want Splunk to monitor.
The log channels will appear in the Selected Logs window.
8. Optionally, you can specify additional servers to collect the same set of event logs from. Type in each of the hostnames, separating them with commas.
9. Another option is to set the destination index for this source. You can do so by selecting an index from the Index drop-down box.
10. Click Save.
11. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.
For more information on getting data from Windows event logs, see "Monitor Windows event log data" in this manual.
Windows event logs - local
Windows event logs - many remote
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14