topic Re: Splunk onboarding Custom Views from EventViewer in Getting Data In

Splunk onboarding Custom Views from EventViewer

dc17 — Fri, 12 Apr 2024 12:48:38 GMT

Hello,

I am trying to create a custom view (also via Xpath) from EventViewer and later insert it into Splunk via a "WinEventLog" and leveraging the Windows Addon.

Can it be done using "WinEventLog" or some other way in inputs.conf as it is for Application/Security/System?
[WinEventLog://MyCustomLog]

As suggested here I tried this configuration but no logs were onboarded and it returned no error also in _internal logs.

Has anyone found a custom solution for inserting these newly created custom views from the EventViewer to Splunk?

Thanks

Re: Splunk onboarding Custom Views from EventViewer

VatsalJagani — Sat, 13 Apr 2024 06:59:36 GMT

@dc17 - You need to give full path like:

[WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = sysmon sourcetype = WinEventLog:Sysmon

In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs.

You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer.

I hope this helps!!!

Re: Splunk onboarding Custom Views from EventViewer

VatsalJagani — Tue, 16 Apr 2024 12:28:09 GMT

@dc17 - Did the solution work for you?? If so, kindly consider accepting the answer for future Splunk users.

Re: Splunk onboarding Custom Views from EventViewer

dc17 — Tue, 16 Apr 2024 12:37:28 GMT

Hi @VatsalJagani ,

Thanks for the reply, could you help me find the full path of the file/.evtx from the EventViewer? I could not find any reference from the EventViewer in my CustomViews of a full path where the Logs are stored.

If I recollect this full path, I could perform some tests on the solution you kindly proposed to me,

Thanks

Re: Splunk onboarding Custom Views from EventViewer

VatsalJagani — Tue, 16 Apr 2024 14:17:00 GMT

@dc17 - I'm not sure what logs you are trying to find in the EventViewer. Is it any known Application logs are you trying to find??

Re: Splunk onboarding Custom Views from EventViewer

dc17 — Tue, 16 Apr 2024 16:07:45 GMT

Hi @VatsalJagani ,

I am not looking in any logs specifically because I need to create multiple Custom View and configure them with different Xpath queries. So I am looking on an approach to monitor with WinEventLog these CustomViews.

In the photo an example of CustomView is "Test" folder.
But in the path C:\Windows\System32\winevt\Logs I could not find any reference to this "Test" CustomView.

To recap:
"Test" CustomView works fine in the EventViewer and it is updated live with the execution of my query. It contains all the events I am interested (not important which one). However I could not find any path connected to it, where the logs are stored and ready to be collected by a Splunk WinEventLog monitor.

Thanks,