Skip to main content

Microsoft: Windows event logs

  • Updated

Microsoft Windows event logs are a source of data that reports on state changes in the operating system, applications, and hardware. Data collected from these different elements are written to the Windows event log hosted within the operating system. These events are used by operations and development teams to troubleshoot and mitigate errors. Security and audit events are also written to the same place, but because they serve different use cases, they are covered in the MIcrosoft: Windows security data source article. In the Common Information Model, Windows event logs can be mapped to any of the following data models, depending on the field: Endpoint, Inventory, Updates, Change, Performance

Data visibility 

The Windows Event logs contain important events relating to applications, system services and the operating system. The events describe errors, warnings or information details about activity taking place on each system. This information is used to monitor and troubleshoot each system. 

Data application

When your Splunk deployment is ingesting Microsoft Windows Event Logs, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Microsoft Windows resources.

Data ingestion

If your deployment is not already ingesting *nix security data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is windows

The source types are WinEventLog and XmlWinEventLog

The supported input types are monitored OS logs, forwarded WinEventLogs, and Script.

In addition, you will need the Splunk Add-on for Microsoft Windows. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Microsoft Windows, and configure Splunk. 

Sizing estimate

The best way to estimate sizing is to send the data to Splunk and use the monitoring console to get ingest sizing by index or sourcetype. Data ingest will vary widely, but an estimated baseline is 250/MB per day per item.  

Validation

The first step in validating the logs is to run a search and confirm that the index is getting data in the proper time frame and that the source types and sources are as expected. Further validation is done by inspecting the events and making sure the needed fields are seen. 

A search similar to the following is a good starting point:

index=* earliest=-15m@ 
sourcetype=winEventLog OR sourcetype=XmlWinEventLog 
|stats count by sourcetype source index

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.