Spread our blog

How To Take Windows Event Logs From Local Widows Machine To Splunk

Hi Guys!!!
Today we have come with easy yet useful topic. We are going to show how we can onboard windows event logs from local windows machine to Splunk.
So, let’s start.
Step: 1
Login to the Splunk instance with you credential.


Step: 2
Now click on the “Data inputs” under “Settings” option.


Step: 3
Now, click on the “Edit” option of “Local event log collection”.


Step: 4
Here, we are going to select the sources from where we are going to gather the logs.


Explanation:
From “Available log(s)” there are so many sources available. From all the options of sources we have taken “Application”, “Security”, “System” sources, you can select any sources according to your requirement.
Then, in the “index” dropdown option we have selected the index “wineventlog”, which we have already created before. You can select any index according to your requirement, but the index should be present before.
Then click on the “Save” option.
Step: 5
As, you can see in this step the input is successfully updated. Now, let’s see the logs are coming or not.


Step: 6
Please, see the below query,

index=”wineventlog”

Explanation:
Here, we have used the index “wineventlog” and as you can see all the logs are coming. Also, when we have clicked on the “source” option, we can see all the three sources are sending logs.
Now, if you want to bring the windows event logs using configuration file, please see the following steps.
1) First go inside $SPLUNK_HOME\etc\system\local
2) Open  inputs.conf in a notepad
3) Add the following stanzas,

[WinEventLog://Application]
index = wineventlog

[WinEventLog://Security]
index = wineventlog

[WinEventLog://System]
index = wineventlog

4) cd $SPLUNK_HOME\bin
5) .\splunk restart

NOTE: These stanzas are only for three sources “Application”, “Security”, “System”. You can add stanzas according to you requirement. Splunk must be running on the windows server.

You can also know about :  Real-time Vs Historical searches & Reports

Hope you have understood “How To Take Windows Event Logs From Local Widows Machine To Splunk”.

Happy Splunking !!!

What’s your Reaction?
+1
1
+1
+1
1
+1
+1
3
+1
1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here