Hi i edited the inputs.cinfig file on my forwarder and once i restart splunk etc i see the data on search but it is not readeble. can anyone tell me what i am doing wrong?
[default]
host = xxxxxxx
[monitor://C:\Windows\System32\winevt\Logs*]
disabled = false
index=xxxxxx
followTail = 0
sourcetype = sync
i have all the other data coming in fine.
Thanks,
Hi Carlyleadmin!
Monitoring evtx files can be tricky.
Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints
I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.
from $SPLUNK_HOME/etc/system/default/props.conf
:
[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false
what was the change you made? the sourcetype?
Hi Carlyleadmin!
Monitoring evtx files can be tricky.
Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints
I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.
from $SPLUNK_HOME/etc/system/default/props.conf
:
[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false
what was the change you made? the sourcetype?
Hey Mmodestino,
Instead of initially monitoring the application files thru the installation of UF i wanted to skip that part and try to monitor winevnt log files by editing the inputs file.
i gave it sourcetype name as "sync" and used an indexer i created,mainly becuase i did not want to put win event files in main index because i have other windows event log files being written there from another machine.
so i uninstalled UF and on initial installation i selected to monitor application log files thru WMI.now it is working.but those files are going into "main" index,i guess i can move them to another index,right?i will try that
thanks for the quick reply
So, the index=xxxxx
setting in inputs.conf you shared above is how you control with index the data will go to. the sourcetype tells Splunk how to parse the data. Thats why I think the data was messed up above, because winevent logs are not regular flat files.
Are these exported, historical windows event logs? (i assumed they were) or the live logs on the machine? If it is the actual local logs I would suggest the UF is the way you want to go and use the wineventlog input.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata
http://docs.splunk.com/Documentation/Splunk/6.6.0/admin/Inputsconf#Windows_Event_Log_Monitor
WMI is not the first thing I'd go to for monitoring windows, but it depends on what you are tying to do....
you are right mmodestino, they are historical data but like you said it is because they are winevent logs and they are not regular files it was showing messed up.
Thanks,
well i uninstalled my UF and reinstalled it and pointed out to monitor Application logs from the install,instead of editing inputs.conf manually later on.
cool glad you got it working!
hey carlyeadmin, what ended up working for you?