Which of the following actions enables you to view the event viewer of a remote computer?

Windows generates log data during the course of its operations. The Windows Event Log service handles nearly all of this communication. It gathers log data that installed applications, services, and system processes publish and places the log data into event log channels. Programs such as Microsoft Event Viewer subscribe to these log channels to display events that have occurred on the system.

You can monitor event log channels and files that are on the local machine or you can collect logs from remote machines. The event log monitor runs once for every event log input that you define.

To monitor Windows Event Log channels in Splunk Cloud Platform, use a Splunk universal or heavy forwarder to collect the data and forward it to your Splunk Cloud Platform deployment. As a best practice, use the Splunk Add-on for Windows to simplify the process of getting data into Splunk Cloud Platform. For instructions on using the Splunk Add-on for Windows to get data into Splunk Cloud Platform, see Get Windows Data Into Splunk Cloud in the Splunk Cloud Admin Manual.

Why monitor event logs?

Windows event logs are the core metric of Windows machine operations. If there is a problem with your Windows system, the Event Log service has logged it. The Splunk platform indexing, searching, and reporting capabilities make your logs accessible.

Requirements for monitoring event logs

ActivityRequirementsMonitor local event logs

The Splunk universal forwarder or Splunk Enterprise instance must run on Windows. See Install on Windows in the Installation Manual.
The Splunk universal forwarder or Splunk Enterprise instance must run as the Local System Windows user to read all local event logs.

Monitor remote event logs

The universal forwarder or heavy forwarder must run on the Windows machine from which you want to collect event logs.
The Splunk universal forwarder or heavy forwarder must run as a domain or remote user with read access to Windows Management Instrumentation (WMI) on the remote machine. See Choose the Windows user Splunk Enterprise should run as in the Installation Manual.
The user that the forwarder runs as must have read access to the event logs you want to collect.

Security and other considerations for collecting event log data from remote machines

You collect event log data from remote machines using a universal forwarder, a heavy forwarder, or WMI. As a best practice, use a universal forwarder to send event log data from remote machines to an indexer. See The universal forwarder in the Universal Forwarder manual for information about how to install, configure and use the forwarder to collect event log data. If you can't install a forwarder on the machine where you want to get data, you can use a WMI.

To install forwarders on your remote machines to collect event log data, install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

To use WMI to get event log data from remote machines, you must ensure that your network and Splunk Enterprise instances are properly configured. Do not install Splunk software as the Local System user. The user you use to install the software determines the event logs that Splunk software has access to. See for additional information on the requirements you must satisfy to collect remote data properly using WMI.

By default, Windows restricts access to some event logs depending on the version of Windows you run. For example, only members of the local Administrators or global Domain Admins groups can read the Security event logs by default.

How the Windows Event Log monitor interacts with Active Directory

When you set up an Event Log monitoring input for WMI, the input connects to an Active Directory (AD) domain controller to authenticate and, if necessary, performs any security ID (SID) translations before it begins to monitor the data.

The Event Log monitor uses the following logic to interact with AD after you set it up:

If you specify a domain controller when you define the input with the # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 6 setting in the inputs.conf file, then the input uses that domain controller for AD operations.
If you do not specify a domain controller, then the input does the following:
1. The input attempts to use the local system cache to authenticate or resolve SIDs.
2. If the monitor cannot authenticate or resolve SIDs that way, it attempts a connection to the domain controller that the machine that runs the input used to log in.
3. If that does not work, then the input attempts to use the closest AD domain controller that has a copy of the Global Catalog.
If the domain controller that you specify is not valid, or a domain controller cannot be found, then the input generates an error message.

Collect event logs from a remote Windows machine

You have two choices to collect data from a remote Windows machine:

Use a universal forwarder
Use WMI

Use a universal or heavy forwarder

You can install a universal forwarder or a heavy forwarder on the Windows machine and instruct it to collect event logs. You can do this manually or use a deployment server to manage the forwarder configuration.

On the Windows machine for which you want to collect Windows Event Logs, download Splunk Enterprise or the universal forwarder software.
Run the universal forwarder installation package to begin the installation process.
When the installer prompts you, configure a receiving indexer.
When the installer prompts you to specify inputs, enable the event log inputs by checking the Event logs checkbox.
Complete the installation procedure.
On the receiving indexer, use Splunk Web to search for the event log data as in the following example:
# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 7

For specific instructions to install the universal forwarder, see Install a Windows universal forwarder in the Forwarder Manual.

Use WMI

If you want to collect event logs remotely using WMI, you must install the universal or heavy forwarder to run as an Active Directory domain user. If the selected domain user is not a member of the Administrators or Domain Admins groups, then you must configure event log security to give the domain user access to the event logs.

To change event log security to get access to the event logs from remote machines, you must meet the following requirements:

You can use the wevtutil utility to set event log security.

Download a Splunk Enterprise instance onto a Windows machine.
Double-click the installer file to begin the installation.
When the installer prompts you to specify a user, select Domain user.
On the next installer pane, enter the domain user name and password that you want Splunk Enterprise to use when it runs.
Follow the prompts to complete the installation of the software.
Once the software has installed, log in to the instance.
Use Splunk Web to add the remote event log input. See later in this topic.

Anomalous machine names are visible in event logs on some systems

On some Windows systems, you might see some event logs with randomly-generated machine names. This is the result of those systems logging events before the user has named the system during the OS installation process.

This anomaly occurs only when you collect logs from versions of Windows remotely over WMI.

Configure local event log monitoring with Splunk Web

To get local Windows event log data, point your Splunk Enterprise instance at the Event Log service.

Go to the Add Data page

You can get there in two ways:

Splunk Settings
Splunk Home

From Splunk Settings:

Click Settings > Data Inputs.
Click Local event log collection.
Click New to add an input.

From Splunk Home:

Click the Add Data link in Splunk Home.
Click Monitor to monitor Event Log data on the local Windows machine, or Forward to forward Event Log data from another Windows machine.
Splunk Enterprise loads the Add Data - Select Source page.
If you selected Forward, select or create the group of forwarders you want this input to apply to. See Forward data in this manual.
Click Next.

Select the input source

Select Local Event Logs
In the Select Event Logs list, select the Event Log channels you want this input to monitor.
Click each Event Log channel you want to monitor once.
Splunk Enterprise moves the channel from the Available items window to the Selected items window.
To deselect a channel, click its name in the Available Items window.
Splunk Enterprise moves the channel from the Selected items window to the Available items window.
To select or deselect all of the event logs, click the add all or remove all links.
Selecting all of the channels can result in the indexing of a lot of data.
Click Next.

Specify input settings

The Input Settings page lets you specify the application context, default host value, and index. All of these parameters are optional.

The Host field sets only the host field in the resulting events. It doesn't direct Splunk Enterprise to look on a specific machine on your network.

Select the appropriate Application context for this input.
Set the Host value. You have several choices for this setting. For more information about setting the host value, see About hosts.
Set the Index that you want Splunk Enterprise to send data to. Leave the value as default, unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
Click Review.

Review your choices

After you specify all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

Review the settings.
If they do not match what you want, click the left angle bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then displays the "Success" page and begins indexing the specified Event Log channels.

Configure remote event log monitoring with Splunk Web

The process for configuring remote event log monitoring is nearly identical to the process for monitoring local event logs.

Follow the instructions to get to the Add Data page. See .
Locate and select Remote Event Logs.
In the Event Log collection name field, enter a unique, memorable name for this input.
In the Choose logs from this host field, enter the host name or IP address of the machine that contains the Event Log channels you want to monitor.
Selecting all of the Event Log channels can result in the indexing of a lot of data.
Click the Find logs button to refresh the page with a list of available Event Log channels on the machine you entered.
Click once on each Event Log channel you want to monitor.
Splunk Enterprise moves the channel from the Available items window to the Selected items window.
To deselect a channel, click its name in the Available Items window.
Splunk Enterprise moves the channel from the Selected items window to the Available items window.
To select or deselect all of the event logs, click the add all or remove all links.
In the Collect the same set of logs from additional hosts field, enter the host names or IP addresses of additional machines that contain the Event Logs you selected previously. Separate multiple machines with commas.
Click the green Next button.
Follow the instructions to specify input settings. See .
Follow the instructions to review your choices. See .

Use the inputs.conf configuration file to configure event log monitoring

On either a universal or heavy forwarder, you can edit the inputs.conf configuration file to configure Windows event log monitoring.

Using Notepad or a similar editor, open %SPLUNK_HOME%\etc\system\local\inputs.conf for editing. You might need to create this file if it doesn't exist.
Enable Windows event log inputs by adding input stanzas that reference Event Log channels.
Save the file and close it.
Restart the Splunk platform.

For more information on configuring data inputs with the inputs.conf file, see .

Specify global settings for Windows Event Log inputs

When you define Windows Event Log inputs in inputs.conf, make sure you explicitly specify global settings in the correct place.

If you specify global settings for Windows Event Log inputs, such as # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 8, # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 9, and so on, you can place those settings in one of the following areas:

Under the [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 0 global stanza. This stanza is equal to the [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 1 stanza for other monitoring inputs. For example:
[default] _meta = hf_proxy::meta_test [WinEventLog] _meta = hf_proxy::meta_test host = WIN2K16_DC index = wineventlog [WinEventLog://Application] disabled = 0
Under the Windows Event Log input stanza for the Event Log channel that you want to monitor. For example:
[default] _meta = hf_proxy::meta_test [WinEventLog] host = WIN2K16_DC index = wineventlog [WinEventLog://Application] disabled = 0 _meta = hf_proxy::meta_test

You can review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default or at the spec file in the Admin Manual.

Event log monitor configuration values

Windows event log (*.evt) files are in binary format. You can't monitor them like you do a normal text file. The [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 2 service monitors these binary files by using the appropriate APIs to read and index the data within the files.

Splunk Enterprise uses the following stanzas in inputs.conf to monitor the default Windows event logs:

# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0

Monitor non-default Windows event logs

You can also configure Splunk Enterprise to monitor non-default Windows event logs. Before you can do this, you must import them to the Windows Event Viewer. After you import the logs, you can add them to your local copy of inputs.conf, as in the following example:

[WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0

Use the Full Name log property in Event Viewer to specify complex Event Log channel names properly

You can use the [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 3 Event Log property in Event Viewer to ensure that you specify the correct Event Log channel in an inputs.conf stanza.

For example, to monitor the Task Scheduler application log, [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 4, do the following steps:

Open Event Viewer.
Expand Applications and Services Logs > Microsoft > Windows > TaskScheduler.
Right-click Operational and select Properties.
In the dialog that appears, copy the text in the Full Name field.
Append this text into the [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 5 stanza of inputs.conf as in the following example:
[WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0

Disable an event log stanza

To disable indexing for an event log, add [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 6 after its listing in the stanza in %SPLUNK_HOME%\etc\system\local\inputs.conf.

Configuration settings for monitoring Windows Event Logs

Splunk software uses the following settings in inputs.conf to monitor Event Log files:

AttributeDescriptionDefault[WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 7

How to read events.

Acceptable values are [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 8, meaning read logs from the oldest to the newest, and [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 9, meaning read logs from the newest to the oldest.

You can't set this attribute to [WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 9 while also setting the [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 1 attribute to [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 2.

[WinEventLog://DNS Server] disabled = 0 [WinEventLog://Directory Service] disabled = 0 [WinEventLog://File Replication Service] disabled = 0 8[WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 1

How to index events.

Acceptable values are [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 2, where the input acquires events that arrive after the input starts for the first time, like [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 6 on *nix systems, or [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 7, where the input gets all existing events in the log and then continues to monitor incoming events in real time.

0[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 1

How frequently, in seconds, the Windows Event Log input saves a checkpoint.

Checkpoints store the eventID of acquired events to enable Splunk software to resume monitoring at the correct event after a shutdown or outage.

The domain controller Splunk software uses to interact with Active Directory while indexing Windows Event Log channels. Valid only when you set the [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 3 attribute to [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 2 and omit the # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 6 attribute.

Valid values are [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 6, meaning to use the nearest domain controller to bind to for AD object resolution, or [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 7, meaning to bind to the primary domain controller for the AD site that the host is in. If you also set the # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 6 attribute, Splunk software ignores this attribute.

[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 6[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 3

How Splunk software interacts with Active Directory while indexing Windows Event Log channels. Valid values are [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 2, meaning resolve Active Directory objects like Globally Unique IDentifier (GUID) and Security IDentifier (SID) objects to their canonical names for a specific Windows event log channel, and [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 7, meaning not to attempt any resolution.

When you set this value to [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 2, you can optionally specify the Domain Controller name or DNS name of the domain to bind to, which Splunk software uses to resolve the AD objects. If you don't set this value, or if you set it to 0, Splunk software does not attempt to resolve the AD objects.

0# Windows platform specific input processor. [WinEventLog://Application] disabled = 0 [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 6

Which Active Directory domain controller to bind to resolve AD objects. This name can be the NetBIOS name of the domain controller, the fully-qualified DNS name of the domain controller, or an environment variable name specified as [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 5.

If you set this attribute, then Splunk software ignores the [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-2000,3001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 2 attribute, which controls how the software determines the best domain controller to bind to for AD object resolution.

If you specify an environment variable, you must prepend a dollar sign ([WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 7) to the environment variable name. Splunk software uses the specified environment variable as the domain controller to connect to for AD object resolution. For example, to use the [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 8 variable, specify [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 9.

You can precede either format with two backslash characters. This attribute does not have a default.

N/A[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 0The fully-qualified DNS name of the domain to bind to resolve AD objects.N/A[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 1A list of Windows Event Log fields that the Windows Event Log input is to exclude when it ingests Windows Event Log data. When you specify this setting, the input removes both the key and value data for the fields you exclude. This setting works similar to the [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 2 settings, but unlike those settings, this setting is valid for all Windows Event Log fields, and excludes fields that you might have included in an allow list. When this collision happens, the instance logs an error. See "Create advanced filters with 'whitelist' and 'blacklist'" later in this topic for the list of Windows Event Log fields that you can exclude.N/A[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 3Whether to include the message text that comes with a security event. A value of 1 suppresses the message text, and a value of 0 preserves the text.0[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 evt_dc_name = boston-dc1.contoso.com checkpointInterval = 5 # suppress message text, we only want the event number. suppress_text = 1 # only index events with these event IDs. whitelist = 0-2000,2001-10000 # exclude these event IDs from being indexed. blacklist = 2001-3000 4

Whether or not to read Event Log events with the Event Logging API.