Monitoring Splunk

Monitor evtx log

AaronMoorcroft
Communicator

Hi Guys

I need to drag a evtx log from %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService.evtx

This needs to show all the indivdual print jobs/ info

This needs to be completed in a conf file, currently looking like this -

[WinEventLog://C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational.evtx
disabled = false
sourcetype = printname

currently the results look a little like this -

x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

Can anyone help me please ?

Tags (2)
1 Solution

AaronMoorcroft
Communicator

Just as a follow up the answer above worked hoever only spradically, very on and off, finally manged to get it working with the below in the conf file -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

initially this wouldnt work but after a few hours and a couple of splunk service restarts it all came to life.

View solution in original post

0 Karma

Sarmbrister
Path Finder

I am dealing with the same issue. One of two things might work for this.

1. When you run a search use this rex command. index= | rex mode=sed "s/\\x..//g" (This will remove all of the null data or anything that has \x and any two characters after it.
2. If you are continuing to index from the source then set up a transforms.conf file and set up the props.conf. regex to use s/\\x..//g

I set up the transforms.conf file and am currently waiting on data to flow through to determine if it is working.

Transforms.conf: http://docs.splunk.com/Documentation/Splunk/6.1/admin/Transformsconf

Props.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Hope this helps.

Sarmbrister
Path Finder

I have been dealing with this same issue for a long time I think i figured out the issue. Since it is windows event logs and they are in binary Splunk might not know how to bring them in unless they are part of the wineventlog configs or the data needs to be in plain text. I am currently working on a script to put the data into plain text then have splunk read that file then delete the plain text file after splunk pulls the data. If successful I'll let you know.

0 Karma

Sarmbrister
Path Finder

I am currently having this same issue. Were you able to solve the problem? I have changed my CHARSET=UTF-16LE on my UF and no luck. Really looking for an answer on this one.

0 Karma

jeubank12
Engager

Splunk will show a sourcetype of preprocess-winevt on the preview screen while giving you the raw file output. This is normal. Click through all the rest of the adding data prompts and then splunk will send the files through the correct processor to index the events

AaronMoorcroft
Communicator

Just as a follow up the answer above worked hoever only spradically, very on and off, finally manged to get it working with the below in the conf file -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

initially this wouldnt work but after a few hours and a couple of splunk service restarts it all came to life.

0 Karma

sshres5
Communicator

I used the above example to finally index Operations Manager.evtx file without any garbled data.
[WinEventLog:\Operations Manager]

Basically, go to the configuration management on your windows box, then click event viewer and see where is your POI is located at. Also, you can either use it based on the path through properties on your file path.

0 Karma

albin111
New Member

I need some help doing something like this to other evt files.

0 Karma

AaronMoorcroft
Communicator

Not sure if everyone would class this as an answer however I have managed to find a work around that may work for someone else out there.

So in Server 08 I guess not all events are automagically logged in either System, Application or Security the 3 main places you look for your logs (yes i know there are a few others)

anyway when enabling the printer logs this goes into a seperate location altogeather see the loaction listed in the initial question, basically what I have done is changed the properties of that log location to point to the System log location, in doing this it duplicates the logs, the logs will continue to go to the original location and there will then also be a copy put into in this case the system log too.

for me this has resolved my problem as splunk was picking up logs from the 3 main locations but not the other...

thanks for your help Luke and Mus.

0 Karma

AaronMoorcroft
Communicator

I may have found a way around this, ill post back when an answer, maybe tomorrow now though, what im thinking is move the specific logs from that event log into the system event log...

0 Karma

lukejadamec
Super Champion

If they are evtx, and they are being read on w2k3 without issue then that is a good question. I did not think that was possible. See the bottom of this doc:
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/MonitorWindowsdata

0 Karma

AaronMoorcroft
Communicator

Application
Security
System

0 Karma

lukejadamec
Super Champion

What do you mean by regular?

0 Karma

AaronMoorcroft
Communicator

ok that would make perfect sense but in that case how do the regular event logs work as they are fine ??

very confusing

0 Karma

lukejadamec
Super Champion

With windows logs, they need to be read on the same version of windows as the system that created the log file. If you try to read an evtx file on a w2k3 server, you'll probably get data like you have.

0 Karma

AaronMoorcroft
Communicator

Hi Luke,

no the the file is on a different server and is being forwarded with the universal forwarder to our main indexer

0 Karma

lukejadamec
Super Champion

Is this log file being read on the machine that produced it?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi AaronMoorcroft,

could it be that you have set a TCP input port in inputs.conf on the indexer like this:

[tcp://any TCP Port]

...should be instead :

[splunktcp://9997]

The indexer is receiving cooked data on a TCP port configured to receive uncooked data. Port 9997 is the default port for Splunk to receive cooked data.

cheers, MuS

0 Karma

AaronMoorcroft
Communicator

All events would be sent via 9997 from all our lets call them mini forwarders onto lets call it our main forwarder and that then onto the indexer.

this is working perfectly well for all other logs and configs that are set up, I suspect this is somthing to do with this being an evtx file

0 Karma

MuS
SplunkTrust
SplunkTrust

you could try the CHARSET option in props.conf on the forwarder or read this http://answers.splunk.com/answers/83790/how-do-i-remove-x00-characters-from-my-log-message

0 Karma

MuS
SplunkTrust
SplunkTrust

how did you setup receiving on the indexer in this case? Since you are forwarding this from an universal forwarder?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...