Hi,
I have windows data coming into a Splunk instance from a specific domain "DC XYZ". The data from DC XYZ is sent from wincollect. So the format is different. Is there an app or has any solved this before. Installing Splunk Windows TA is not an option.
Thanks,
Rish
Ok, not too ugly. Field names largely correspond with what it would normally look like. I'd just write REPORT based extractions for the key=value and key: value pieces. Maybe a few fields that need to be renamed and then just copy all relevant logic from the windows TA (props,transforms,eventtypes,tags,lookups). Make sure to give the copied content unique stanza names (transforms, eventtypes, lookups) to prevent conflicts.
How did you get Windows logs from WinCollect into Splunk? Did you just point it to a TCP input?
Thanks
Ed
I was able to get the agent and figure it out. Just syslog on the backend. Thanks
Ed
Ok, not too ugly. Field names largely correspond with what it would normally look like. I'd just write REPORT based extractions for the key=value and key: value pieces. Maybe a few fields that need to be renamed and then just copy all relevant logic from the windows TA (props,transforms,eventtypes,tags,lookups). Make sure to give the copied content unique stanza names (transforms, eventtypes, lookups) to prevent conflicts.
I've dealt with some funky ways of getting windows data in, but this is not one of them. Can you share a sample log to get some idea of what it looks like?
Typically it boils down to writing the field extractions for the custom format in a way that results in similar fields as what the Splunk TA uses and then copy pasting as much as possible from the windows TA to prevent having to reinvent all that logic for CIM mapping and eventtyping etc. How easy that is depends on how different the custom format is from the 'normal' format.
Format is as below:
Dec 5 13:08:47 XXXXXXX AgentDevice=XXXXXXX AgentLogFile=XXXXXXX PluginVersion=7.2.8.91 Source=Microsoft-Windows-Security-Auditing Computer=XXXXXXX OriginatingComputer=XXXXXXX User= Domain= EventID=4728 EventIDCode=4728 EventType=8 EventCategory=13826 RecordNumber=XXXXXXX TimeGenerated=XXXXXXX TimeWritten=XXXXXXX Level=Log Always Keywords=Audit Success Task=XXXXXXX_ACCOUNTMANAGEMENT_SECURITYGROUP Opcode=Info Message=A member was added to a security-enabled global group. Subject: Security ID: XXXXXXX Account Name: XXXXXXX Account Domain: XXXXXXX Logon ID: XXXXXXX Member: Security ID: XXXXXXX Account Name: CN=XXXXXXX,OU=XXXXXXX,OU=XXXXXXX XXXXXXX XXXXXXX,OU=XXXXXXX,DC=XXXXXXX,DC=XXXXXXX,DC=XXXXXXX Group: Security ID: XXXXXXX Group Name: XXXXXXX Group Domain: XXXXXXX Additional Information: Privileges: -