How does splunk-wineventlog.exe know how to find the Event Logs on a server? We have an inputs.conf file which looks like this, but I am not understanding how Splunk finds the logs. Thank you.
[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false
Thank you for the explanation and code snippet.
The handler does not need to know where the file is because the handler does not interact directly with the underlying log files. You simply need to enter the log name in the input spec.
I don't trust myself to type in long log names so I use a powershell script to get those names into my clipboard.
(Get-WinEvent -ListLog "*" -ErrorAction SilentlyContinue | ?{$_.LogName -match "Application"}).LogName | clip
The WinEventLog hanlder makes similar API calls to the EventLog provider in Windows which does all the work of correlating message IDs in the actual log file to messageStrings expressed in the language that matches your localization preferences.
Here is one of my code projects to try and explore the schema of all possible logs. Not sure if the code is stable at this point because I tried to handle classic log type which required lower level programming than I was comfortable with.
https://github.com/dstaulcu/WinEventsToSplunkObjects
This code project also looks really interesting if you are looking to interact with log files seized from offline computers
https://github.com/vavarachen/evtx2json