Splunk Search

How to collect Windows event logs and field extractions without using a universal forwarder?

hopnscotch
Path Finder

In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder.

Can you advise what specific app to use or other settings to get the field extractions working?

0 Karma

thuyentv2591
New Member

Hi ALL,
I can not see sourcetype snare:application or snare:security while go installed app splunk-ta-windows.
this case i go monitoring log file from rsyslog server.
this here use snare agent send syslog to rsyslog server.
please clear help me how to parsing this log file windows use format snare agent.
many thanks your suppott

0 Karma

dturnbull_splun
Splunk Employee
Splunk Employee

The Splunk App-on for Windows has extractions for Snare syslog with a sourcetype of Snare:Security or Snare:Application etc.

hopnscotch
Path Finder

The add-on is just for the local system, not for remote snare logs coming in.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You configured the custom field extractions (after your research) on Search Head for your sourcetype windows_snare_syslog, correct? Are you using any in-built dashboard searches which might be referring to different index/sourcetype?

0 Karma

hopnscotch
Path Finder

So to be clear.. I haven't done any custom extractions myself as I don't want to spend a ton of time on something that I would assume is already available somewhere.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...