topic Re: Ingesting offline Windows Event logs from different systems in Getting Data In

Ingesting offline Windows Event logs from different systems

KP3 — Thu, 06 Jul 2023 08:47:14 GMT

I am trying to use a Universal Forwarder to get a load of windows event logs that I need to analyse into Splunk. The event logs are from about 7 different systems and are all located on my local laptop in a folder.

I have tried adding the folder into the inputs.conf file and setting the sourcetype to WinEventLog, but once the data is in, the individual events are not being extracted. Rather the entire file is being passed as one event and all I can see are the headers for each Event Log.

Is someone able to help me with this please?

I should probably state that I am using a Splunk Cloud instance and do not have a deployment server - I need to go straight from my laptop to the Splunk Cloud instance.

Thanks

Re: Ingesting offline Windows Event logs from different systems

isoutamo — Thu, 06 Jul 2023 08:57:54 GMT

If I understood right you have those events on .evxt files? Is so you should create separate inputs.conf for those. There are couple of posts where this has explained

Key word seems to be sourcetype="preprocess-winevt".

If you have those files on linux there is some additional tools which your are needing to read/index correctly into splunk.

r. Ismo

Re: Ingesting offline Windows Event logs from different systems

KP3 — Thu, 06 Jul 2023 15:22:11 GMT

Thank you! That has worked.

Re: Ingesting offline Windows Event logs from different systems

rvany — Thu, 23 Jan 2025 07:38:52 GMT

A small update to these link (the former is a repost of the latter). The former link/document was moved to

https://www.invictus-ir.com/news/importing-windows-event-log-files-into-splunk