Site Search
Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
TOP
Products/Services
Specifications/Technical Information
solution
User stories
support
Seminar content
Evaluation machine application/FAQ
Document request
inquiry
Event/Seminar
video on demand

How not to capture past Windows event logs

release date
2017-09-01
last updated
2023-07-28
version
Splunk Enterprise 9.0.4
Splunk UniversalForwarder 9.0.4
Overview
How not to capture past Windows event logs
Reference information
content

Default behavior when importing Windows event logs

Windows event logs can be obtained by adding [WinEventLog://<name>] to inputs.conf.

example:
For application logs
[WinEventLog://Application]
disabled = 0

When ingesting Windows event logs, Splunk starts reading sequentially from the previous event log.

*If there is a Windows event log from one year ago, reading will start from one year ago.

How to manage the specification of the "current_only" parameter and the data ingestion situation

In inputs.conf there is a parameter called "current_only". By default, it is set to 0 (disabled), but by setting this to 1 (enabled), "only Windows event logs generated while Splunk is running" are acquired.

For example, let's say you set "current_only = 1" and started importing Windows event logs at 12:00 on July 1st.

In this case, Windows event logs output while the Spkluk service is running after 12:00 on July 1st will be imported.

*Past Windows event logs that were output before 12:00 on July 1 are not included.

Also, when importing Windows event logs, apart from data imports such as [monitor://<path>], [WinEventLog://<name>] manages the importing status, and Splunk manages the importing events It is a specification that excludes past event logs from the acquisition target from the log.

* [WinEventLog://<name>] manages the import status by record number.

How not to capture past Windows event logs

Using the above specifications, it is possible to operate to acquire only the Windows event logs that are output after adding the import settings.

【Operating procedure】
  • Add the following settings to the Splunk server that outputs the Windows event log.

Example: When importing for the first time

$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[WinEventLog://<name>]
index = test
...(省略)
current_only = 1

*For Windows event logs, Splunk automatically recognizes the source type, so setting "sourcetype = " is unnecessary.

*For default installation
$SPLUNK_HOME (Linux) : /opt/splunk
$SPLUNK_HOME (Windows) : C:\Program Files\splunk

  • Restart the Splunk service.
$SPLUNK_HOME/bin/splunk restart
  • Confirm from the search that the Windows Event Log was captured.

By importing Windows event logs here, Splunk will exclude Windows event logs older than imported event logs from being imported.

  • Exclude the "current_only = 1" setting from the setting example added in 1. above.

Example: Exclude current_only

$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[WinEventLog://<name>]
index = test
...(省略)
  • Restart the Splunk service.

Notes

a. Be sure to confirm that the Windows event log has been captured during step 3 above.

b. If you did not exclude the "current_only = 1" setting in step 4 above, Windows event logs output while Splunk was stopped will not be captured.

c. During the above 4.5. step, there is a possibility that the Windows event log may be lost.

d. current_only is a valid parameter only for Windows event log ingestion settings ([WinEventLog://<name>]).

that's all

to previous page