Does anyone know if Splunk can import Microsoft Event files or cap, pacp, pcapng files from programs like Wireshark, Network Minder etc?
I’m not a Senior Engineer but I thought cap, pcap and pcapng have been an industry standard file format for 25 years. Same with Microsoft event logs. Is she correct? Splunk doesn’t understand Microsoft event files or Wireshark pcap files?
Is there anyone at Splunk who has worked with Microsoft Event files or pcap files who might have a sample? Our Splunk Engineer wants us to submit sample files but I don’t have any sanitized files to give her. I’m hoping someone at Splunk can help me out.
Thanks
A little late in responding but a app called stream indexes pcaps!!
Is there any Splunk documention I can have our Splunk Senior Engineer read? Or do you know if anyone at Splunk knows about this I can refer our Splunk Senior Engineer to?
Yes, all those things can be ingested into Splunk. The Microsoft Event Logs are parsed by Splunk core. The pcaps are more complex and that isn't a fully solved problem, but there are many ways you can do that on your own or with future enhancements that are likely being worked on today.
I should add that the Sourcefire eStreamer Splunk app does contain pcap data as sent from Sourcefire, but I don't think it is designed to read libpcap format files directly.