Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After editing inputs.config on forwarder data shows up unreadable

carlyleadmin
Contributor
‎09-29-2017 10:34 AM

Hi i edited the inputs.cinfig file on my forwarder and once i restart splunk etc i see the data on search but it is not readeble. can anyone tell me what i am doing wrong?

[default]
host = xxxxxxx

[monitor://C:\Windows\System32\winevt\Logs*]
disabled = false
index=xxxxxx
followTail = 0
sourcetype = sync

i have all the other data coming in fine.

Thanks,

alt text

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎09-29-2017 11:58 AM

Hey Mmodestino,

Instead of initially monitoring the application files thru the installation of UF i wanted to skip that part and try to monitor winevnt log files by editing the inputs file.

i gave it sourcetype name as "sync" and used an indexer i created,mainly becuase i did not want to put win event files in main index because i have other windows event log files being written there from another machine.
so i uninstalled UF and on initial installation i selected to monitor application log files thru WMI.now it is working.but those files are going into "main" index,i guess i can move them to another index,right?i will try that

thanks for the quick reply

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 02:10 PM

So, the index=xxxxx setting in inputs.conf you shared above is how you control with index the data will go to. the sourcetype tells Splunk how to parse the data. Thats why I think the data was messed up above, because winevent logs are not regular flat files.

Are these exported, historical windows event logs? (i assumed they were) or the live logs on the machine? If it is the actual local logs I would suggest the UF is the way you want to go and use the wineventlog input.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata
http://docs.splunk.com/Documentation/Splunk/6.6.0/admin/Inputsconf#Windows_Event_Log_Monitor

WMI is not the first thing I'd go to for monitoring windows, but it depends on what you are tying to do....

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:41 AM

you are right mmodestino, they are historical data but like you said it is because they are winevent logs and they are not regular files it was showing messed up.

Thanks,

0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:45 AM

well i uninstalled my UF and reinstalled it and pointed out to monitor Application logs from the install,instead of editing inputs.conf manually later on.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 06:01 AM

cool glad you got it working!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 05:38 AM

hey carlyeadmin, what ended up working for you?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...