Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After editing inputs.config on forwarder data shows up unreadable

carlyleadmin
Contributor
‎09-29-2017 10:34 AM

Hi i edited the inputs.cinfig file on my forwarder and once i restart splunk etc i see the data on search but it is not readeble. can anyone tell me what i am doing wrong?

[default]
host = xxxxxxx

[monitor://C:\Windows\System32\winevt\Logs*]
disabled = false
index=xxxxxx
followTail = 0
sourcetype = sync

i have all the other data coming in fine.

Thanks,

alt text

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎09-29-2017 11:58 AM

Hey Mmodestino,

Instead of initially monitoring the application files thru the installation of UF i wanted to skip that part and try to monitor winevnt log files by editing the inputs file.

i gave it sourcetype name as "sync" and used an indexer i created,mainly becuase i did not want to put win event files in main index because i have other windows event log files being written there from another machine.
so i uninstalled UF and on initial installation i selected to monitor application log files thru WMI.now it is working.but those files are going into "main" index,i guess i can move them to another index,right?i will try that

thanks for the quick reply

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 02:10 PM

So, the index=xxxxx setting in inputs.conf you shared above is how you control with index the data will go to. the sourcetype tells Splunk how to parse the data. Thats why I think the data was messed up above, because winevent logs are not regular flat files.

Are these exported, historical windows event logs? (i assumed they were) or the live logs on the machine? If it is the actual local logs I would suggest the UF is the way you want to go and use the wineventlog input.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata
http://docs.splunk.com/Documentation/Splunk/6.6.0/admin/Inputsconf#Windows_Event_Log_Monitor

WMI is not the first thing I'd go to for monitoring windows, but it depends on what you are tying to do....

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:41 AM

you are right mmodestino, they are historical data but like you said it is because they are winevent logs and they are not regular files it was showing messed up.

Thanks,

0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:45 AM

well i uninstalled my UF and reinstalled it and pointed out to monitor Application logs from the install,instead of editing inputs.conf manually later on.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 06:01 AM

cool glad you got it working!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 05:38 AM

hey carlyeadmin, what ended up working for you?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...