Getting Data In

What is the difference in these stanzas?

stcrispan
Communicator

What is the difference between these stanzas...

[WinEventLog://Application]
disabled = 0
index=tablets
sourcetype=tablet_App

[WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Operational]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Op

[WinEventLog://Microsoft-Windows-WLAN-Autoconfig/Diagnostic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Diag

...and these stanzas?

[WinEventLog:Application]
disabled = 0
index=tablets
sourcetype=tablet_App

[WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Op

[WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Diagnostic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Diag

In the documentation, it says that in order to pick entries out of a file, specify the file path and name...but when picking events out of an .evtx file, it shows the second method (no "//" involved). I used the "//" method (the first methods) in my inputs.conf and I can get //Applications and even //...../Operations, but I'm not getting //..../Diagnostics.

Is the difference critical? Why does one work and not the other? When using Universal Forwarder, which is the more correct method? Why does it work for two but not the third?

0 Karma

stcrispan
Communicator

Somesh:

Yes, the Diagnostic events are showing up in the Event Viewer. As you know, when you turn on Analytics and Diagnostics, that creates the additional categories, in this case the additional Diagnostic under WLAN-AutoConfig. So I can definitely see the events. Additionally, when I go into Properties for WAN-AutoConfig/Diagnostic enable the log, events logging can be confirmed by watching the file size of the created file and see that it increases.

I was looking in to your suggestion of monitoring these files as files, but unfortunately, they are created in binary format, and without having the interpreter of Universal Forwarder available, I cannot get any useable data. The alternative, copying the files over to our Splunk server, wouldn't work because as I understand it you need a server which corresponds to the device upon which the .evtx files are created in order to parse them...and our Splunk server is Linux.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The first set of stanza are syntactly correct for monitoring Windows event logs, second one is not as it's missing those slashes. The difference is critical (that's why we have syntax).

The window event log monitoring is different from regular file monitoring where you've to specify full path to the file. For windows event logs, you just need to specify the path/name they'll be seen in Windows Event Viewer (On windows machine, go to Run-> eventvwr.exe ).

This syntax is same for Universal forwarder OR Enterprise Splunk.

For the Window Event monitoring which is not working, check if the path/name is correct.

0 Karma

stcrispan
Communicator

Thanks for the quick answer, Somesh.

So supposing I have the path/name correct, and it's still not digesting the .evtx file. What then? Both of these .evtx files live in the same directory... "C:\windows\system32\winevt\logs\", and they are both under the same provider "WLAN-AutoConfig"

[WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Operational]
[WinEventLog://Microsoft-Windows-WLAN-Autoconfig/Diagnostic]

They both have the same path and format. But Operation is getting events, and Diagnostic is not.

I wish I could get someone to replicate my results.

0 Karma

manxcomish
Loves-to-Learn

I know this is going back a few years.... But did you ever find a solution to this?  Having the same problem

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would check if the Diagnostic event view logs are appearing on Event Viewer of that server (on the server where these files exists, go to Run-> eventvwr.exe ).

If you want to monitor those as files, instead of Windows Event Logs, then you can setup file monitoring. See this for mre details. http://docs.splunk.com/Documentation/Splunk/6.2.11/Data/MonitorWindowsdata

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...