splunk-wineventlog.exe

halbeisendv · ‎04-25-2019

How does splunk-wineventlog.exe know how to find the Event Logs on a server? We have an inputs.conf file which looks like this, but I am not understanding how Splunk finds the logs. Thank you.

OS Logs

[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false

halbeisendv · ‎04-26-2019

Thank you for the explanation and code snippet.

dstaulcu · ‎04-25-2019

The handler does not need to know where the file is because the handler does not interact directly with the underlying log files. You simply need to enter the log name in the input spec.

I don't trust myself to type in long log names so I use a powershell script to get those names into my clipboard.

(Get-WinEvent -ListLog "*" -ErrorAction SilentlyContinue | ?{$_.LogName -match "Application"}).LogName | clip

The WinEventLog hanlder makes similar API calls to the EventLog provider in Windows which does all the work of correlating message IDs in the actual log file to messageStrings expressed in the language that matches your localization preferences.

Here is one of my code projects to try and explore the schema of all possible logs. Not sure if the code is stable at this point because I tried to handle classic log type which required lower level programming than I was comfortable with.
https://github.com/dstaulcu/WinEventsToSplunkObjects

This code project also looks really interesting if you are looking to interact with log files seized from offline computers
https://github.com/vavarachen/evtx2json

splunk-wineventlog.exe

OS Logs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!