<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Historical WinEventLog:Security Ingestion Issue in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609372#M105658</link>
    <description>&lt;P&gt;&lt;A href="https://community.splunk.com/t5/Getting-Data-In/How-can-I-reindex-a-WinEventLog-file-with-Splunk-TA-windows/m-p/304071" target="_blank"&gt;https://community.splunk.com/t5/Getting-Data-In/How-can-I-reindex-a-WinEventLog-file-with-Splunk-TA-windows/m-p/304071&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Should give you all your event logs reingested (assuming that you haven't configured the inputs to pull only current logs)&lt;/P&gt;</description>
    <pubDate>Fri, 12 Aug 2022 19:45:52 GMT</pubDate>
    <dc:creator>PickleRick</dc:creator>
    <dc:date>2022-08-12T19:45:52Z</dc:date>
    <item>
      <title>How do I resolve this historical WinEventLog:Security ingestion issue?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609369#M105657</link>
      <description>&lt;P&gt;Hello all, I need to preface this with the disclaimer that I am a relative Splunk neophyte so if you can / do choose to help, do not hesitate to keep it as knuckle-dragging / mouth-breather proof as possible.....&lt;/P&gt;
&lt;P&gt;Issue:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;An individual machine with a UF instance appears to have only sent security logs from around Apr 2022 to be ingested, despite:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;(a)&amp;nbsp; the Splunk instance on this local machine has been up and running since 2019&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;(b) the Splunk ES architecture has been in place and running since 2016, but none of those who&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; implemented it remain, nor is there any usable documentation on exactly how/ why certain&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; configuration choices were made&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; To comply with data retention requirements we need to ensure&amp;nbsp; that all previous local security logs from 2019 until now are ingested, confirmed to be stored, and then ideally deleted from the local machine to save storage space.&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;(a) the logs which seem to not have been ingested have been identified and moved to a separate location&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;from the current security log.&lt;/P&gt;
&lt;P&gt;Question:&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;What is the most efficient and accurate way of ensuring these logs are actually ingested in a distributed environment?&amp;nbsp; When looking through the documentation / various community threads and the Data Ingestion options (on our Deployment Server, License Master, various Search Heads, Heavy Forwarders, Indexers, etc.) I can't find anything that deals specifically with the situation I seem to be facing (existing deployment, select file ingestion from a specific instance) apart from physically going to the machine, which can be.....difficult.&lt;/P&gt;
&lt;P&gt;Any help / information / redirection would be greatly appreciated.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Aug 2022 20:07:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609369#M105657</guid>
      <dc:creator>bamflpn18</dc:creator>
      <dc:date>2022-08-17T20:07:47Z</dc:date>
    </item>
    <item>
      <title>Re: Historical WinEventLog:Security Ingestion Issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609372#M105658</link>
      <description>&lt;P&gt;&lt;A href="https://community.splunk.com/t5/Getting-Data-In/How-can-I-reindex-a-WinEventLog-file-with-Splunk-TA-windows/m-p/304071" target="_blank"&gt;https://community.splunk.com/t5/Getting-Data-In/How-can-I-reindex-a-WinEventLog-file-with-Splunk-TA-windows/m-p/304071&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Should give you all your event logs reingested (assuming that you haven't configured the inputs to pull only current logs)&lt;/P&gt;</description>
      <pubDate>Fri, 12 Aug 2022 19:45:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609372#M105658</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2022-08-12T19:45:52Z</dc:date>
    </item>
    <item>
      <title>Re: Historical WinEventLog:Security Ingestion Issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609399#M105663</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248539"&gt;@bamflpn18&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;if you need to understand your architecture, you could see if Monitoring Console is configured.&lt;/P&gt;&lt;P&gt;To check the data, you could run a simple search:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| metasearch index=*
| stats values(index) AS index values(host) AS host count BY sourcetype&lt;/LI-CODE&gt;&lt;P&gt;in this way you have an overview of all the Data Flows are active in your network and from which hosts and where logs are stored.&lt;/P&gt;&lt;P&gt;In addition ES is a very hard App that's largely evolved in tha last years and also Data Ingestion Apps (TAs).&lt;/P&gt;&lt;P&gt;For all these reasons, I think that this job requires at least a Splunk Architect and in Community you can find only some idea, but you need a good Splunk architecture and Data Ingestion Knowledge.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Sat, 13 Aug 2022 08:42:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609399#M105663</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-08-13T08:42:57Z</dc:date>
    </item>
    <item>
      <title>Re: Historical WinEventLog:Security Ingestion Issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609855#M105707</link>
      <description>&lt;P&gt;Sir:&lt;/P&gt;&lt;P&gt;I apologize for the delayed response, but....life.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;re: Monitoring Console / Index to Host by Sourcetype&lt;/P&gt;&lt;P&gt;I had pulled some of our basic information from a similar string, as well as pulling up the MC to attempt to view / configure the forwarders / indexes / data sources etc.&amp;nbsp; One of the things that we've found across the environment is individually (and often mis-) configured .conf files and general settings across all tiers of instances, resulting in what appears to be some things going THIS way, others THAT way, and a quite large spectrum of indexes which have sporadic ingestion.&lt;/P&gt;&lt;P&gt;We're working to get hold of one of the subject matter experts via Splunk OnDemand, but due to our turnover of personnel we're still working through transferring licenses / accounts.&amp;nbsp; Unfortunately this specific event requires resolution prior to the anticipated completion of that part.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I appreciate the quick response and information&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 17 Aug 2022 19:11:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609855#M105707</guid>
      <dc:creator>bamflpn18</dc:creator>
      <dc:date>2022-08-17T19:11:13Z</dc:date>
    </item>
    <item>
      <title>Re: Historical WinEventLog:Security Ingestion Issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609856#M105708</link>
      <description>&lt;P&gt;Sir:&lt;/P&gt;&lt;P&gt;I am sorry for the delayed response, but...life.&lt;/P&gt;&lt;P&gt;That is precisely what I was looking for and makes sense even to me.&amp;nbsp; I have not had an opportunity to implement / validate it on our setup, but I'm optimistic for the first time in a while.&lt;/P&gt;&lt;P&gt;Much appreciated for the information and redirection.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Aug 2022 19:15:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-resolve-this-historical-WinEventLog-Security-ingestion/m-p/609856#M105708</guid>
      <dc:creator>bamflpn18</dc:creator>
      <dc:date>2022-08-17T19:15:51Z</dc:date>
    </item>
  </channel>
</rss>

