topic Re: Additional Windows Event Logs in Getting Data In

Additional Windows Event Logs

UnsuperviseLeon — Tue, 27 Aug 2024 20:38:12 GMT

Hello! I am trying to collect 3 additional Windows Event logs and I have added them in the inputs.conf, for example

[WinEventLog://Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true

Admin, Autopilot, and Operational, were added the same way.

I also added in props.conf

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin] rename = wineventlog [WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot] rename = wineventlog [WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational] rename = wineventlog

The data are coming in, however, none of the fields are parsed as interesting fields.

Is there something I am missing? I looked through some of the other conf file, but I think I am in over my head to make a new section in props? I thought the base [WinEventLog] would take care of the basic breaking up of interesting fields like EventID, so I am a bit lost.

Re: Additional Windows Event Logs

PickleRick — Tue, 27 Aug 2024 22:15:00 GMT

Interesting Fields is just a GUI feature that shows fields present in at least 10 (15?) percent of events. Just because field is not listed there doesn't mean it's not being parsed out from the event. Actually with renderXml=true you get xml-formatted events from which all fields should be automatically parsed.

Re: Additional Windows Event Logs

gcusello — Wed, 28 Aug 2024 06:30:00 GMT

Hi @UnsuperviseLeon ,

as @PickleRick said, fields are lister in interesting fields only if you have them in at least 20% of the events, you can check these fields putting in the main search one of these new fields (e.g. my_field=*).

then, it isn't sure that these fields are correctly parsed by the standard Windows parser, you have to check this and eventually add the missing parsings.

Ciao.

Giuseppe

Re: Additional Windows Event Logs

UnsuperviseLeon — Thu, 29 Aug 2024 14:34:57 GMT

Things like "EventID" is in every event and that isn't showing up. I'll poke around the other conf more.

Re: Additional Windows Event Logs

PickleRick — Thu, 29 Aug 2024 18:01:56 GMT

Ok. Aren't you perchance searching in fast mode? Oh, and I of course assume you have your TA_windows installed in all required places, right?

Re: Additional Windows Event Logs

UnsuperviseLeon — Thu, 29 Aug 2024 21:46:43 GMT

Not searching in fast mode.

I am going to assume that I did not installed it in all the required places, I inherited this from another employee. I have it deployed from the DS to my endpoints and the local conf are configured there. I have it also installed via Manage Apps in the Cloud search head.