I'm trying to collect Windows events. Specifically, I'm trying to collect:
\\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Operational
\\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Diagnostic
\\Applications and Service Logs\Microsoft\Windows\WLAN-Driver\Analytic
So far, I've installed the Universal Forwarder, and made the changes to the inputs.conf file so that it will collect these events directly from the .evtx files:
[default]
host = SLATE
[WinEventLog://Application]
disabled = 0
index=tablets
sourcetype=tablet_App
[WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Operational]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Op
[WinEventLog://Microsoft-Windows-WLAN-Autoconfig/Diagnostic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Diag
[WinEventLog://Microsoft-Windows-WLAN-Driver/Analytic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Analytic
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
So I started getting data, specifically data from Operational, but there was a problem. The problem is that the Event File from Diagnostic and Analytic are not .evtx files, they're not even .evt files. They're .etl files...trace log files. So I wasn't getting any data from them.
The second problem is that I can't get Windows Event manager to create .evtx files for Diagnostic or Analytic. This is a BIG problem because it means that I can't automatically scroll old data off, like I would with a bona fide .evtx file. It only will create an .etl file, and that means it's going to have a finite limit. Once it fills up, you're done logging.
So there is another problem. I'm capturing these log files in order to troubleshoot a problem with tablets...tablets who, for some unknown reason, abruptly lose network connectivity. That means I need a buffer where log events can be stored pending network re-connection. So I can't simply feed the .etl file straight to Splunk (or can I?).
So given this set of problems, can someone recommend a solution where:
...the events from \\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Diagnostic and \\Applications and Service Logs\Microsoft\Windows\WLAN-Driver\Analytic to get to Splunk.
...the solution is robust, fault tolerant, and not too complicated because I can't afford to weigh down the tablets.
Yes, I realize that this is not necessarily a Splunk problem, it's more of a Windows problem...but I figure, I can't be the ONLY guy who's ever run across a situation where a flat text file is being created, but needs to somehow be redirected to the UF...without actually creating a real file that can be filled up. I figure it's more of a redirect, or funneling...PIPING...problem.
Any takers? Any suggestions?
↧