I have made the following change to a forwarder to send JUST applocker data as XML:
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1
[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1
I am able to parse the field values if I use | xmlkv
, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):
[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml
I do not get parsed results in Splunk. Am I missing something?
I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).
https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html
I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:
e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
Maybe somebody can comment on this issue? But the above solution works perfectly for me.
Have a good day.
Ben
KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.
I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?