Windows event logs - local
Splunk allows for fast, easy collection of Windows event logs. Whether it's for alerting on security, or reporting on or searching for various event iDs to determine the health of your Windows systems, Splunk's event log collection capabilities make it a snap.
To get local Windows event log data, point Splunk at your Event Log service:
1. From the Home page in Splunk Web, click Add data.
2. Under the To get started... banner, click Windows event logs.
3. Click Next under Collect Windows event logs from this Splunk server.
4. In the "Available Logs" window, click on the event log channels that you want Splunk to monitor.
The log channels will appear in the "Selected Logs" window.
5. Optionally, set the destination index for this source by selecting an index from the Index drop-down box.
6. Click Save.
7. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the events as they come into Splunk.
For more information on getting data from files and directories, see "Monitor Windows event log data" in the Getting Data In manual.
Syslog - UDP
Windows event logs - remote
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14