You might want to see all Windows events on a host when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Windows event logs provide valuable information that can be used during an investigation to facilitate answering questions about the hosts behavior, state, health, or performance. You want visibility into all Windows event logs on a host.
To optimize the search shown below, you should specify an index and a time range.
- Verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
Click here for an example inputs.conf file that can be deployed to the universal forwarder on the Windows host to collect recommended Windows event logs.
- Run the following search:
host="<name of host to check>" source=WinEventLog:* <optional keywords>
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|host="<name of host to check>" source=WinEventLog:* <optional keywords>||
Search index(es) where Windows event log data is being collected and filter down to the desired host(s) to check.
Add optional keywords that are relevant to the investigation. For instance, adding "service stopped" to the search might help uncover instances where a service was stopped on the host. Otherwise, delete this part of the search.
This information provided by this search can help in other investigations.