topic Re: Why is Splunk not indexing? in Getting Data In

Why is Splunk not indexing?

rockb — Mon, 19 Sep 2022 15:50:26 GMT

I am trying to use Splunk to review windows logs that were exported from machines that are not on a network. I have copied the .evtx files to my Splunk machine.

Fresh install of Splunk 9.0.1

Below is the process I used to try to get the events indexed. I think this is the same process I have used in the past but for some reason no events are indexed.

1. Settings --> New Index
2. Enter Name for index
3. Save
4. Settings --> Data Inputs
5. Files and Directories
6. New Local File and Directory
7. Input Path of top level folder containing logs
8. Select Continuously Monitor
9. Next
10. Source Type: Automatic
11. App Context: Search and reporting
12. Select Constant Value
13. Host field name:*
14. Select Index Created in steps 1- 3
15. Review
16. Start Searching

The search results in 0 events listed. I delete everything from the search box except index="nameofindex" and still there are no events listed.

Re: Why is Splunk not indexing?

richgalloway — Mon, 19 Sep 2022 16:38:43 GMT

Splunk can't read Windows event logs using a monitor input. The usual method is via a WinEventLog input, but that probably won't work with transferred files since WinEventLog expects to get data directly from the local Windows server.

Re: Why is Splunk not indexing?

rockb — Mon, 19 Sep 2022 16:50:11 GMT

I have done this before. I got everything set up and working then another employee took over the task. They then moved and took the computer with them. That employee recently moved to another position and UPS "lost" the computer, so I am now trying to get it set up on a new machine.

I do remember when configuring the previous box I used WinEventLog somewhere in the process. I thought it was in the Source Type under operating system but all I see there now is windows_snare_syslog and that does not seem to work either.

Re: Why is Splunk not indexing?

richgalloway — Mon, 19 Sep 2022 17:18:59 GMT

The sourcetype to use is 'wineventlog'.

Re: Why is Splunk not indexing?

PickleRick — Mon, 19 Sep 2022 17:52:32 GMT

I'm not sure but I think I read somewhere that splunk was able (at least some time ago) to read evt files (not sure about evtx). One caveat - it must have been a windows splunk version - it probably used some system library calls to process the file.

I'm not however sure if the possibility still exists since I haven't seen a windows-based splunk server for a loooooong time.

Re: Why is Splunk not indexing?

rockb — Mon, 19 Sep 2022 18:02:40 GMT

wineventlog was not found but that did get me there.

The correct string is "preprocess-winevt".

It is indexing now. Thank you .

Re: Why is Splunk not indexing?

gcusello — Tue, 20 Sep 2022 06:38:33 GMT

Hi @rockb,

to ingest wineventlogs you have to use the wineventlog connector created by Splunk because windows eventlogs are encrypted.

As @richgalloway said you have to use a different input option: [Settings -- Data inputs -- Local event log Collection] and automatically the correct sourcetype will associated to the logs: wineventlog:security, wineventlog:application, wineventlog:system.

My hint is to use a different approach:

downaload the Splunk TA_Windows from Splunkbase (https://splunkbase.splunk.com/app/742/),
copy the inputs.conf from the default to local folder,
enable the stanzas you need (disabled=0),
upload the App in your Splunk environment or deploy to your Splunk Forwarder.

In this way, you have a more organized data input.

Ciao.

Giuseppe

Re: Why is Splunk not indexing?

PickleRick — Tue, 20 Sep 2022 08:00:44 GMT

evtx files are _not_ encrypted. You can move your files around and you can import them into another machine and whatnot. And you don't have to provide any secrets in doing so. So they are not encrypted. They are however encoded so they are not in a plain text format and are thus useless for direct importing with a monitor input.

One could try importing the files into event viewer and setting an Event Log input with the destination log name. Might work but I haven't tried it myself.