All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs source and sourcetype names in Universal Forwarder Version 6.0 (Windows Server 2003 SP2 x86)

andreasz
Path Finder
‎10-15-2013 03:14 AM

Apparently the source and sourcetype names changed in UF 6.0.

Old name: WinEventLog:Application

New name: WinEventLog:application

The same applies to System and Security Logs.

According to props.conf.spec: "By default, [source::] and [] stanzas match in a case-sensitive manner"

All the props.conf stanzas (Event filtering) don't match any more.

Here my input.conf definition on the forwarder:

default:
[WinEventLog://Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog://System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

UF Version: splunkforwarder-6.0-182611-x86-release.msi

Regards,

Andreas

UPDATE

My Workaround

On Indexer:

transform.conf

[rename_sourcetype_WinEventLog:application]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:application

FORMAT = sourcetype::WinEventLog:Application

[rename_sourcetype_WinEventLog:security]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:security

FORMAT = sourcetype::WinEventLog:Security

[rename_sourcetype_WinEventLog:system]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:system

FORMAT = sourcetype::WinEventLog:System

[rename_source_WinEventLog:application]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:application

FORMAT = source::WinEventLog:Application

[rename_source_WinEventLog:security]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:security

FORMAT = source::WinEventLog:Security

[rename_source_WinEventLog:system]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:system

FORMAT = source::WinEventLog:System

props.conf:

[WinEventLog:security]

TRANSFORMS-rename_source = rename_source_WinEventLog:security

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:security

[WinEventLog:application]

TRANSFORMS-rename_source = rename_source_WinEventLog:application

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:application

[WinEventLog:system]

TRANSFORMS-rename_source = rename_source_WinEventLog:system

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:system

Update 30.10.2013:

the problem occurs on Windows Server 2003 SP2 x86.
I could not recreate it on Windows Server 2008R2

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎08-02-2014 10:43 AM

This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues

It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...