All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs source and sourcetype names in Universal Forwarder Version 6.0 (Windows Server 2003 SP2 x86)

andreasz
Path Finder
‎10-15-2013 03:14 AM

Apparently the source and sourcetype names changed in UF 6.0.

Old name: WinEventLog:Application

New name: WinEventLog:application

The same applies to System and Security Logs.

According to props.conf.spec: "By default, [source::] and [] stanzas match in a case-sensitive manner"

All the props.conf stanzas (Event filtering) don't match any more.

Here my input.conf definition on the forwarder:

default:
[WinEventLog://Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog://System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

UF Version: splunkforwarder-6.0-182611-x86-release.msi

Regards,

Andreas

UPDATE

My Workaround

On Indexer:

transform.conf

[rename_sourcetype_WinEventLog:application]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:application

FORMAT = sourcetype::WinEventLog:Application

[rename_sourcetype_WinEventLog:security]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:security

FORMAT = sourcetype::WinEventLog:Security

[rename_sourcetype_WinEventLog:system]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:system

FORMAT = sourcetype::WinEventLog:System

[rename_source_WinEventLog:application]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:application

FORMAT = source::WinEventLog:Application

[rename_source_WinEventLog:security]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:security

FORMAT = source::WinEventLog:Security

[rename_source_WinEventLog:system]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:system

FORMAT = source::WinEventLog:System

props.conf:

[WinEventLog:security]

TRANSFORMS-rename_source = rename_source_WinEventLog:security

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:security

[WinEventLog:application]

TRANSFORMS-rename_source = rename_source_WinEventLog:application

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:application

[WinEventLog:system]

TRANSFORMS-rename_source = rename_source_WinEventLog:system

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:system

Update 30.10.2013:

the problem occurs on Windows Server 2003 SP2 x86.
I could not recreate it on Windows Server 2008R2

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎08-02-2014 10:43 AM

This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues

It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...