https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711439#M117532 <P>My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys</P> Thu, 13 Feb 2025 03:34:51 GMT zksvc 2025-02-13T03:34:51Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711086#M117464 <P>Hi Everyone,</P><P>i got error since i try install new agent in new server using SplunkForwarder.&nbsp;</P><P>For inputs.conf i use like this&nbsp;</P><P>&nbsp;</P><LI-CODE lang="c">[WinEventLog://Security] disabled = 0 index = windows sourcetype = Wineventlog:Security [WinEventLog://System] disabled = 0 index = windows sourcetype = Wineventlog:System [WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = 0 index = windows sourcetype = WinEventLog:PowerShell</LI-CODE><P>&nbsp;</P><P>And the preview is like this in&nbsp;<SPAN class="">source =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A class="" title="C:\Windows\System32\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx" href="http://172.188.83.214:8000/en-US/app/search/search?q=search%20index%3Dfmi_internal&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1739171894.2288#" target="_blank" rel="noopener">C:\Windows\System32\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx</A>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_0-1739171786682.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34436i3C1B0D190C7E0D1E/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_0-1739171786682.png" alt="zksvc_0-1739171786682.png" /></span></P><P>This is not my first time to ingest windows, but this error just happen to me right now. And i confuse how to solved it.</P><P>&nbsp;</P> Mon, 10 Feb 2025 07:22:12 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711086#M117464 zksvc 2025-02-10T07:22:12Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711093#M117466 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/269896">@zksvc</a>&nbsp;</P><P>Looks like a binary file was read there.</P><P>Have you followed the steps here <A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata</A> ?</P> Mon, 10 Feb 2025 08:16:24 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711093#M117466 dataisbeautiful 2025-02-10T08:16:24Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711439#M117532 <P>My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys</P> Thu, 13 Feb 2025 03:34:51 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Events-get-x00-in-agent-Splunk-Forwarder/m-p/711439#M117532 zksvc 2025-02-13T03:34:51Z