Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows event logs - remote

Splunk can monitor Windows event logs, both locally and remotely over WMI. Whether it's for alerting on security or reporting on or searching of various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.

Important: To collect Windows event logs remotely, your Splunk instance must be installed as a user with privileges to the machines that you want to collect the logs. Review "Considerations for deciding how to monitor remote Windows data" in this manual for additional information.

To get remote Windows event log data, point Splunk at a remote machine's Event Log service:

1. From the Home page in Splunk Web, click Add data.

2. Under the To get started... banner, click Windows event logs.

3. Click Next under Collect Windows event logs from another machine.

4. In the Event Log collection name field, type in a unique name for the event logs you will be collecting.

5. In the Choose logs from this host field, enter the hostname for a machine on your Windows network. You can specify a short hostname, the server's fully qualified domain name, or its IP address.

6. Click Find logs… to get a list of the available event log channels on the remote machine.

7. In the Available log(s) window that appears, click once on the event log channels you want Splunk to monitor.

The log channels will appear in the Selected Logs window.

8. Optionally, you can specify additional servers to collect the same set of event logs from. Type in each of the hostnames, separating them with commas.

9. Another option is to set the destination index for this source. You can do so by selecting an index from the Index drop-down box.

10. Click Save.

11. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.

For more information on getting data from Windows event logs, see "Monitor Windows event log data" in this manual.

PREVIOUS
Windows event logs - local
  NEXT
Windows event logs - many remote

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Comments

when i Click Find Logs i prompt below error. How to fit it?<br />Error: Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host '192.168.1.29'. This host may not be reachable or WMI may be misconfigured

Tesfit
October 17, 2012

Hi Administrator123,<br /><br />In order to collect data from a remote machine using WMI, you must install and configure Splunk to run as a user with access to WMI. If you install Splunk as the Local System user, it will only have access to data on the machine on which it's installed.<br /><br />For additional information on how to collect data from remote Windows machines with Splunk, review http://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata. In the meanwhile, I'll update this topic to include a notice and links to this additional information.

Malmoore, Splunker
March 22, 2012

when i Click Find Logs i prompt below error. How to fit it?<br />Error: Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host '192.168.1.29'. This host may not be reachable or WMI may be misconfigured

Administrator123
March 22, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters