Decoding of evtx
files must be done in context of the Windows server where it was generated and upload does not work. For a great explanation, see the answer by @inventsekar here (be sure to UpVote him):
https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html
Just ran into this same issue, having trouble ingesting these .evtx logs (from Citrix application server). Also read thru the link woodcock provided (https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html) and didn't see any clear answer.
Using a forwarder to monitor the file, also used the sourcetype=WinEventLog, after installing the Windows TA...but getting the same results as ddrillic.
Anyone got more info on how to ingest these logs? Thanks!
Joe
I believe that @landen99 @alanden_splunk can shed some light on this.
@joesrepsolc The solution appears fairly complicated, so clarity is not going to be expected when using Splunk to do it. I actually prefer the other answer by @tnesavich for the sake of clarity. But I expect it is much simpler to use the python method, not mentioned in those answers. Have you looked at python-evtx? https://github.com/williballenthin/python-evtx
Decoding of evtx
files must be done in context of the Windows server where it was generated and upload does not work. For a great explanation, see the answer by @inventsekar here (be sure to UpVote him):
https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html
Very kind @woodcock
Hey @ddrillic, Here's some documentation on adding this type of file. http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata
Here are a few Answers links as well:
Through the interface: https://answers.splunk.com/answers/528735/how-to-index-exported-evt-and-evtx-files.html
Using a forwarder or using a work-around to change them into csv or text files: https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html
Hi @ddrillic, Following up on my previous answer after more research. @ppablo and @aaraneta helped me look through several other related inquiries and the documentation on Splunk Docs, and unfortunately it looks like the original evtx files can't be uploaded in this way as you requested due to the proprietary nature of the evtx files. You can read more from the answers to these questions here: https://answers.splunk.com/topics/evtx.html
We have a pretty active public Slack chat if you'd like to reach out there for more info or to see if an active user has found a workaround. You first have to request access through http://splk.it/slack. Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.
Great, but I would like to upload them as files and not monitor them, which we can't at this point...