https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/671355#M18057 <P>The thing I could suggest is enabling debug and trying to look into forwarder's logs but that's a long shot and I have really no concrete advice what to look for. Kinda like "exploratory surgery".</P> Sat, 09 Dec 2023 09:20:05 GMT PickleRick 2023-12-09T09:20:05Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670467#M17966 <P>Hello Team,</P><P>I got a weird issue, that I struggle to troubleshoot.</P><P>A month ago, I realized that my WinEventLog logs were consuming too much of my licenses, so I decided to index them in the XmlWinEventLog format. To do this, I simply modified the inputs.conf file of my Universal Forwarder.<BR /><BR />I changed from this configuration :</P><PRE>[WinEventLog://Security] <BR />disabled = 0 <BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)"<BR />renderXml = false<BR />sourcetype = WinEventLog<BR />index = wineventlog</PRE><P>To this configuration:</P><PRE>[WinEventLog://Security] <BR />disabled = 0 <BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\sgroupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\sgroupPolicyContainer)"<BR />renderXml = true<BR />sourcetype = XmlWinEventLog<BR />index = wineventlog</PRE><P>Then I started receiving events and my license usage reduced, which made me happy. However, upon closer observation, I realized that I wasn't receiving all the events as before. Indeed, I now observe that the event frequency of the XmlWinEventLog logs is random.</P><P>You can observe this on these timelines :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MCH2018_0-1701439929580.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28328i7C68A5FF9B543A94/image-size/medium?v=v2&amp;px=400" role="button" title="MCH2018_0-1701439929580.png" alt="MCH2018_0-1701439929580.png" /></span></P><P>&nbsp;</P><P>And in the metrics :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MCH2018_1-1701439945037.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28329i315190D0F1264C58/image-size/medium?v=v2&amp;px=400" role="button" title="MCH2018_1-1701439945037.png" alt="MCH2018_1-1701439945037.png" /></span></P><P>&nbsp;</P><P>On the other hand, with the WinEventLog format, I have no issues:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MCH2018_2-1701439959223.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28330iB2AC2F256F3C193E/image-size/medium?v=v2&amp;px=400" role="button" title="MCH2018_2-1701439959223.png" alt="MCH2018_2-1701439959223.png" /></span></P><P>&nbsp;</P><P>I tried reinstalling the UF, there are no interesting errors in the splunkd.log, and I am out of ideas for troubleshooting.<BR />Thank you for your help.</P> Fri, 01 Dec 2023 14:14:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670467#M17966 MCH2018 2023-12-01T14:14:02Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670529#M17973 <P>&nbsp;Your blacklist regex expressions may not be compatible with with the XML format for your indexed events.</P><P>Referenced from <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events :</A></P><TABLE><TBODY><TR><TD>Render event data as extensible markup language (XML) supplied by the Windows Event Log subsystem. This setting is optional.<P>A value of 1 or true means to render the events as XML. A value of 0 or false means to render the events as plain text.</P><P class="">If you set renderXml to true, and if you want to also create allow lists or deny lists to filter event data, you must use the $XmlRegex special key in your allow lists or deny lists.</P></TD><TD>0 (false)</TD></TR></TBODY></TABLE> Sat, 02 Dec 2023 15:01:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670529#M17973 azteksites 2023-12-02T15:01:50Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670783#M18002 <P>Thanks for your help, I haven't been able to test your solution yet.<BR />I'm supposed to do it this week, so I'll get back to you.</P> Tue, 05 Dec 2023 10:00:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670783#M18002 MCH2018 2023-12-05T10:00:28Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670821#M18006 <P>While the blacklist format might not be compatible with the XML event format, that should not cause decrease of the number of events, quite the contrary.</P><P>I'd check firstly whether your overall number of events (not just bursts) indeed did decrease. In other words - are you indeed losing events or are are they by any chance getting "choked" but finally get through in shorter but higher-thruput bursts.</P><P>&nbsp;</P> Tue, 05 Dec 2023 13:22:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670821#M18006 PickleRick 2023-12-05T13:22:03Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670845#M18007 <P><SPAN class="">That was one of my theories, but unfortunately, after checking, we do have some missing events.</SPAN></P><P><SPAN class="">We only receive random events in XML and all events in wineventlog format.</SPAN></P> Tue, 05 Dec 2023 14:22:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/670845#M18007 MCH2018 2023-12-05T14:22:36Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/671240#M18052 <P>Hello,</P><P>Unfortunatly, this solution doesn't solve anything.</P> Fri, 08 Dec 2023 09:19:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/671240#M18052 MCH2018 2023-12-08T09:19:10Z https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/671355#M18057 <P>The thing I could suggest is enabling debug and trying to look into forwarder's logs but that's a long shot and I have really no concrete advice what to look for. Kinda like "exploratory surgery".</P> Sat, 09 Dec 2023 09:20:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Ingestion-of-Windows-events-works-correctly-in-the-classic/m-p/671355#M18057 PickleRick 2023-12-09T09:20:05Z