https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709474#M117203 <P>This is just to add some pieces of information.</P><P>The Windows Event Log data is written to disk at least before and after a reboot or a restart of the "Windows Event Log" service. These files are then saved under <FONT face="courier new,courier">C:\Windows\System32\winevt\Logs</FONT> with names such as <FONT face="courier new,courier">Application.evtx</FONT> or <FONT face="courier new,courier">Security.evtx</FONT></P><P><FONT face="arial,helvetica,sans-serif">These files are in a somehow "binary" format, but this format is known and there are tools to extract their data in text format. E.g. using the Python language there's a module named "python-evtx".</FONT></P><P><FONT face="arial,helvetica,sans-serif">I did <STRONG>not</STRONG> try using this module inside a Linux based Indexer to directly read the data from the files.</FONT></P><P><FONT face="arial,helvetica,sans-serif">Doing this is probably a bad idea for the standard Windows Event Logs as these are best read using the solution provided above, but in case of "standalone" event files, which other applications might create, using such tools is a way to go.</FONT></P> Wed, 22 Jan 2025 15:18:06 GMT rvany 2025-01-22T15:18:06Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/489582#M83711 <P>i am trying to forward logs from a windows server to a linux splunk enterprise using the universal forwarder. the application.evtx file was transfered to folder D:\Archive_Logs\Application_Logs\Application.evtx instead of the regular folder where application logs are stored. I used the inputs.conf to monitor the file using [monitor://d:\Archive_Logs\Application_Logs\Application.evtx] . It seems to have ingested it but i only got 1 event with unreadable data. This is the same unreadable data when I try to use Add Data In feature in splunk. I read the document from <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/MonitorWindowseventlogdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/MonitorWindowseventlogdata</A> and says there are some issues about using linux splunk for monitoring windows event logs. Not sure why this is not working because we also have other servers with windows event logs being sent to the same linux splunk enterprise but those are using the regular [WinEventLog://Application] input. Why does this happen and how can i get our logs sent to splunk? We have a splunk deployment with a deployment master pushing apps to windows servers.</P> Wed, 30 Sep 2020 05:16:09 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/489582#M83711 d4rk_sp1d3r 2020-09-30T05:16:09Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/489583#M83712 <P>The issue is that files in .evtx format are not readable - they are a custom binary format used by Microsoft. So even if you tries to read them on a Windows based Splunk server, it would not work. If they are sitting on a disk folder, then somebody has exported them and they are no longer Windows event logs, but just files containing data extracted from a windows event log. </P> <P>When using the standard Splunk Windows logs collection process - [WinEventLog://Application] - this is using API calls to read each event, rather than trying to read a file directly on disk. </P> <P>You will need to either convert the files to readable text, or switch to reading the events within the eventlog before being exported. There seems to be some details on using the tool WEVTUTIL to perform this conversion. </P> <P><A href="https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log-files/ba-p/372550">https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log-files/ba-p/372550</A></P> Thu, 30 Apr 2020 16:39:51 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/489583#M83712 wyfwa4 2020-04-30T16:39:51Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709474#M117203 <P>This is just to add some pieces of information.</P><P>The Windows Event Log data is written to disk at least before and after a reboot or a restart of the "Windows Event Log" service. These files are then saved under <FONT face="courier new,courier">C:\Windows\System32\winevt\Logs</FONT> with names such as <FONT face="courier new,courier">Application.evtx</FONT> or <FONT face="courier new,courier">Security.evtx</FONT></P><P><FONT face="arial,helvetica,sans-serif">These files are in a somehow "binary" format, but this format is known and there are tools to extract their data in text format. E.g. using the Python language there's a module named "python-evtx".</FONT></P><P><FONT face="arial,helvetica,sans-serif">I did <STRONG>not</STRONG> try using this module inside a Linux based Indexer to directly read the data from the files.</FONT></P><P><FONT face="arial,helvetica,sans-serif">Doing this is probably a bad idea for the standard Windows Event Logs as these are best read using the solution provided above, but in case of "standalone" event files, which other applications might create, using such tools is a way to go.</FONT></P> Wed, 22 Jan 2025 15:18:06 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709474#M117203 rvany 2025-01-22T15:18:06Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709486#M117205 Here is one old answer for indexing windows .evtx files.<BR /><A href="https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-systems/m-p/649515" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-systems/m-p/649515</A> Wed, 22 Jan 2025 16:19:22 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709486#M117205 isoutamo 2025-01-22T16:19:22Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709563#M117223 <P>Thank you for the link(s). Would be great if Splunk had included this important bit of information in their docs...</P> Thu, 23 Jan 2025 07:35:44 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709563#M117223 rvany 2025-01-23T07:35:44Z https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709583#M117227 I think that as those are usually ingested directly in windows nodes via correct input method, this is not a normal use case. Those who needs to investigate those files later usually already knows how this can do. Thu, 23 Jan 2025 12:37:48 GMT https://community.splunk.com/t5/Getting-Data-In/windows-evtx-logs-to-splunk-linux-deployment-using-a-universal/m-p/709583#M117227 isoutamo 2025-01-23T12:37:48Z