Forwarded Events Logs


Forwarded Events Logs

b

Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?
i

bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


b

imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



i

bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.
b

imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.
i

bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.

Confirmed, that is the correct approach. 
b

imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.

Confirmed, that is the correct approach. 

I have done so.  What did you mean by the update of the app?  Is it something that the user must initiate?  
i

bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.

Confirmed, that is the correct approach. 

I have done so.  What did you mean by the update of the app?  Is it something that the user must initiate?  

In the future a new version of this app might be made available and you might install it.

>Is it something that the user must initiate? 

Yes it is initiated by the user.

The fact that the local folder is not affected by an update applies to all Splunk apps.
b

imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.

Confirmed, that is the correct approach. 

I have done so.  What did you mean by the update of the app?  Is it something that the user must initiate?  

In the future a new version of this app might be made available and you might install it.

>Is it something that the user must initiate? 

Yes it is initiated by the user.

The fact that the local folder is not affected by an update applies to all Splunk apps.

When will I see the changes being made in AD in the Splunk App after I have created the new inputs.conf file?
i

bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
imrago - 6/13/2017
bobbychan - 6/13/2017
Instead of using a created folder Supercharger recommends, I have utilized the Forwarded Events folder.  How would we adjust the outputs for logbinder's app for splunk to accept logs from the forwrded events folder instead of the Supercharger-Destination-ADChanges/Log folder?

Create an inputs.conf in %SPLUNK_HOME%/etc/apps/logbinder/local/  if it does not already exists, add this input :

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest


In the props.conf there is already a section for Forwarded Events which changes the sourcetype to WinEventLog:Security and fixes the hostname, so no further action is needed in this case. 


Did you actually mean for the path:  %SPLUNK_HOME%/etc/apps/logbinder/default/   ?  If so, there is already a file with the setting currently as you provided minus the name of the stanza.  If not, I will create the new path that you provided.  Just wanted to make sure before I made theses changes.   



Yes, it was intentional. The contents of the default folder will be overwritten during an update of the app, the local folder is not affected. By using the local folder your changes will remain after an update.

Just to clarify...  I need to create a new local folder since there is not one there and insert the inputs.conf file into this folder.  I do nothing with the default folder that has its own inputs.conf file in it.

Confirmed, that is the correct approach. 

I have done so.  What did you mean by the update of the app?  Is it something that the user must initiate?  

In the future a new version of this app might be made available and you might install it.

>Is it something that the user must initiate? 

Yes it is initiated by the user.

The fact that the local folder is not affected by an update applies to all Splunk apps.

When will I see the changes being made in AD in the Splunk App after I have created the new inputs.conf file?

It should be visible immediately.

Does this search return any events?

index=* source="WinEventLog:ForwardedEvents"


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search