How to index .evtx files and put them in their own...

nls7010 · ‎06-25-2019

I have read all of the above, but I think I'm confused on just what to do to get the indexing going.

We are wanting to pick up the following path on some of our windows servers: %SystemRoot%\System32\Winevt\Logs\Application.evtx , but I'm not certain what to put in the sourcetype for those files.
Can I select an index rather than the main (which we don't want to use)?

Any assistance would be helpful, thank you!

jnudell_2 · ‎06-25-2019

Hi @nls7010 ,
Don't try to ingest the Windows event logs directly. You'll want to use the Windows TA for Splunk (https://splunkbase.splunk.com/app/742/#/overview) and then refer to the documentation for indexing Windows Events from the event log (https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration).

Specifically you'll want to enable collection for the Application log in inputs.conf on your Windows Universal Forwarder:
inputs.conf

[WinEventLog://Application]

disabled = 0

By default, this input is disabled and will need to be enabled in the local folder of the application (if there is no local folder, you would create one and create an inputs.conf with the lines above)

How to index .evtx files and put them in their own index

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM