All Apps and Add-ons

Windows Event Logs source and sourcetype names in Universal Forwarder Version 6.0 (Windows Server 2003 SP2 x86)

andreasz
Path Finder

Apparently the source and sourcetype names changed in UF 6.0.

Old name: WinEventLog:Application

New name: WinEventLog:application

The same applies to System and Security Logs.

According to props.conf.spec: "By default, [source::] and [] stanzas match in a case-sensitive manner"

All the props.conf stanzas (Event filtering) don't match any more.

Here my input.conf definition on the forwarder:

default:
[WinEventLog://Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog://System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

UF Version: splunkforwarder-6.0-182611-x86-release.msi

Regards,

Andreas

UPDATE

My Workaround

On Indexer:

transform.conf

[rename_sourcetype_WinEventLog:application]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:application

FORMAT = sourcetype::WinEventLog:Application

[rename_sourcetype_WinEventLog:security]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:security

FORMAT = sourcetype::WinEventLog:Security

[rename_sourcetype_WinEventLog:system]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:system

FORMAT = sourcetype::WinEventLog:System

[rename_source_WinEventLog:application]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:application

FORMAT = source::WinEventLog:Application

[rename_source_WinEventLog:security]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:security

FORMAT = source::WinEventLog:Security

[rename_source_WinEventLog:system]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:system

FORMAT = source::WinEventLog:System

props.conf:

[WinEventLog:security]

TRANSFORMS-rename_source = rename_source_WinEventLog:security

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:security

[WinEventLog:application]

TRANSFORMS-rename_source = rename_source_WinEventLog:application

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:application

[WinEventLog:system]

TRANSFORMS-rename_source = rename_source_WinEventLog:system

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:system

Update 30.10.2013:

the problem occurs on Windows Server 2003 SP2 x86.
I could not recreate it on Windows Server 2008R2

0 Karma

skylasam_splunk
Splunk Employee
Splunk Employee

This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues

It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...