Solved: How to parse windows data from wincollect (Qradar)...

rishrai · ‎12-05-2018

Hi,

I have windows data coming into a Splunk instance from a specific domain "DC XYZ". The data from DC XYZ is sent from wincollect. So the format is different. Is there an app or has any solved this before. Installing Splunk Windows TA is not an option.

Fields extraction needs to be build for this format which is single line. is there a way to get the data from wincollect in XML format?
Is there an app built to parse windows data from Wincollect?

Thanks,
Rish

FrankVl · ‎12-07-2018

Ok, not too ugly. Field names largely correspond with what it would normally look like. I'd just write REPORT based extractions for the key=value and key: value pieces. Maybe a few fields that need to be renamed and then just copy all relevant logic from the windows TA (props,transforms,eventtypes,tags,lookups). Make sure to give the copied content unique stanza names (transforms, eventtypes, lookups) to prevent conflicts.

View solution in original post

ebaileytu · ‎09-22-2021

How did you get Windows logs from WinCollect into Splunk? Did you just point it to a TCP input?

Thanks

Ed

ebaileytu · ‎09-22-2021

I was able to get the agent and figure it out. Just syslog on the backend. Thanks

Ed

FrankVl · ‎12-07-2018

Ok, not too ugly. Field names largely correspond with what it would normally look like. I'd just write REPORT based extractions for the key=value and key: value pieces. Maybe a few fields that need to be renamed and then just copy all relevant logic from the windows TA (props,transforms,eventtypes,tags,lookups). Make sure to give the copied content unique stanza names (transforms, eventtypes, lookups) to prevent conflicts.

FrankVl · ‎12-05-2018

I've dealt with some funky ways of getting windows data in, but this is not one of them. Can you share a sample log to get some idea of what it looks like?

Typically it boils down to writing the field extractions for the custom format in a way that results in similar fields as what the Splunk TA uses and then copy pasting as much as possible from the windows TA to prevent having to reinvent all that logic for CIM mapping and eventtyping etc. How easy that is depends on how different the custom format is from the 'normal' format.

rishrai · ‎12-06-2018

Format is as below:

Dec 5 13:08:47 XXXXXXX AgentDevice=XXXXXXX AgentLogFile=XXXXXXX PluginVersion=7.2.8.91 Source=Microsoft-Windows-Security-Auditing Computer=XXXXXXX OriginatingComputer=XXXXXXX User= Domain= EventID=4728 EventIDCode=4728 EventType=8 EventCategory=13826 RecordNumber=XXXXXXX TimeGenerated=XXXXXXX TimeWritten=XXXXXXX Level=Log Always Keywords=Audit Success Task=XXXXXXX_ACCOUNTMANAGEMENT_SECURITYGROUP Opcode=Info Message=A member was added to a security-enabled global group. Subject: Security ID: XXXXXXX Account Name: XXXXXXX Account Domain: XXXXXXX Logon ID: XXXXXXX Member: Security ID: XXXXXXX Account Name: CN=XXXXXXX,OU=XXXXXXX,OU=XXXXXXX XXXXXXX XXXXXXX,OU=XXXXXXX,DC=XXXXXXX,DC=XXXXXXX,DC=XXXXXXX Group: Security ID: XXXXXXX Group Name: XXXXXXX Group Domain: XXXXXXX Additional Information: Privileges: -

How to parse windows data from wincollect (Qradar)?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!