Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows event logs - remote

Splunk Enterprise can monitor Windows event logs, both locally and remotely over WMI. You can use this input to alert on security or search for specific event iDs to determine the health of your Windows systems.

Important: To collect Windows event logs remotely, your Splunk instance must be installed as a user with appropriate permissions to access remote Windows machines. See "Considerations for deciding how to monitor remote Windows data" in this manual.

To get remote Windows event log data, point Splunk Enterprise at a remote Windows machine:

A. Go to the Add New page

You add an input from the Add New page in Splunk Web. See How do you want to add data?" in this manual.

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

Via Splunk Settings:

1. Click Settings in the upper right-hand corner of Splunk Web.

2. In the Data section of the Settings pop-up, click Data Inputs.

3. Click Remote event log collection.

4. Click the New button to add an input.

Via Splunk Home:

1. Click the Add Data link in Splunk Home.

2. Click Monitor to monitor Event Log data on a remote Windows machine.

B. Select the input source

1. In the left pane, locate and select Remote Event Logs.

2. In the Event Log collection name field, enter a unique name for this input that you will remember.

3. In the Choose logs from this host field, enter the host name or IP address of the machine that contains the Event Log channels you want to monitor.

4. Click the Find logs button to refresh the page with a list of available Event Log channels on the server you entered.

5. Click once on each Event Log channel you want to monitor. Splunk Enterprise moves the channel from the "Available items" window to the "Selected items" window.

6. To unselect a channel, click on its name in the "Available Items" window. Splunk Enterprise moves the channel from the "Selected items" window to the "Available items" window.

7. To select or unselect all of the event logs, click on the "add all" or "remove all" links. Important: Selecting all of the channels can result in the indexing of a lot of data, possibly more than your license allows.

8. In the Collect the same set of logs from additional hosts field, enter host names or IP addresses of additional machines that contain the Event Logs you selected previously. Separate multiple hosts with commas.

9. Click the green Next button.

C. Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

1. Select the appropriate Application context for this input.

2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".

Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.

3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.

4. Click the green Review button.

D. Review your choices

After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.

Review the settings. If they do not match what you want, click the white < button to go back to the previous step in the wizard. Otherwise, click the green Submit button.

Splunk Enterprise then loads the "Success" page and begins indexing the specified Event Log channels.

For more information on getting data from Windows event logs, see "Monitor Windows event log data" in this manual.

PREVIOUS
Windows event logs - local
  NEXT
Windows registry - local

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0


Comments

This recipe does not use the universal forwarder. It uses WMI to gather Windows data from a remote machine, and must be set up to do so in advance.

Malmoore
February 20, 2015

Is this material outdated? It doesn't seem to match the instructions for the Universal Forwarder.

Hubb 99
February 20, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters