topic Re: Can I send windows security logs using UF over HTTP to Logstash ? in Getting Data In

Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Tue, 13 May 2025 23:24:23 GMT

Hello Experts ,

I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document

https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf?_gl=1*1oibtlm*_gcl_aw*R0NMLjE3NDY4NDE5NzEuRUFJYUlRb2JDaE1Jc2Z2dnRPV1hqUU1WaDBwX0FCMlJYQnRjRUFBWUFTQUFFZ0wtNXZEX0J3RQ..*_gcl_au*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*FPAU*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*_ga*NjI5NDg5MjY4LjE3NDQ5MDE2Mjg.*_ga_5EPM2P39FV*czE3NDcxNTY4OTMkbzckZzEkdDE3NDcxNTcxNDIkajAkbDAkaDM4ODI5OTg4OQ..*_fplc*R1FCTFo5ZiUyQnVNQ3gxRlQ2NXVoQW45b0tXS2Z4SiUyRkxpSUYyME04d2hZRGR4b25qaGFMaEhSRG1SYUpoaDhCTG8zc3daRkhXZEhtTjFad0VtcFhoTHBZc0k3eGgzUDVNZzJOaXhkJTJCNGklMkIxbUJpYVRBanhIWUpKdFFtMlpIRVElM0QlM0Q.

On UF I have

inputs.conf

[WinEventLog://Security]
disabled = 0

outputs.conf

[httpout]
httpEventCollectorToken = <token>
uri = http://127.0.0.1:8002
compressed = false
sendCookedData = false
compression = none

my logstash.conf ( I want to write the data into a file)

input {
http {
port => 8002
codec => plain
}
}

output {
file {
path => "C:\logstash_output\uf_debug_raw.txt"

}
}

The file is being created but it holds encoded data like encrypted data , symbols . Can someone suggest if this is even possible

data in the file
{"url":{"domain":"127.0.0.1","port":8002,"path":"/services/collector/s2s"},"@version":"1","event":{"original":"�x��V�n\u001CE\u0010�`@��@\u001C��%

Re: Can I send windows security logs using UF over HTTP to Logstash ?

richgalloway — Wed, 14 May 2025 00:16:58 GMT

When a UF sends data via HTTP it uses the Splunk-to-Splunk protocol, which logstash doesn't support.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Wed, 14 May 2025 22:44:36 GMT

That is what I wanted to confirm 🙂 . Do you have any suggestion what could be the other way to send logs using UF to logstash , I have tested TCP which is working but somehow it is sending splunk UF internal logs too to logstash which I need to filter later at logstash level

Re: Can I send windows security logs using UF over HTTP to Logstash ?

PickleRick — Thu, 15 May 2025 10:41:03 GMT

It is expected. By default Splunk sends all data to all output groups. You'd need to fiddle with event routing which can be tricky since UF normally doesn't do transforms.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

richgalloway — Thu, 15 May 2025 12:24:40 GMT

Whether via HTTP or TCP, the UF only sends data using the Splunk-to-Splunk protocol so cannot send successfully to Logstash. I suggest using a Logstash agent, instead.

The sending of UF internal logs is a setting in an inputs.conf file. Turning that off will not solve the above problem, however.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

PickleRick — Thu, 15 May 2025 14:26:39 GMT

@richgalloway Shouldn't UF send raw data when sendCookedData=false on tcpout? Never tried it myself but the docs say so.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

richgalloway — Thu, 15 May 2025 14:56:42 GMT

Good find, @PickleRick ! The docs do imply one should set sendCookedData=false when sending to third-party systems.

@vikas_gopalPlease try that and report the results.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Thu, 15 May 2025 16:59:27 GMT

Well I was using this already as mentioned in my original post .

Re: Can I send windows security logs using UF over HTTP to Logstash ?

PickleRick — Thu, 15 May 2025 17:11:37 GMT

You used httpout which doesn't use this option at all so I completely missed that.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

isoutamo — Thu, 15 May 2025 17:52:57 GMT

Are you sure that your character sets are correctly defined? Based on your example it seems that you have at least UTF escaped characters and probably real UTF or some other in your file?

Re: Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Thu, 15 May 2025 18:15:06 GMT

Thank you for your response , I have tried below but with that also same problem .

codec => plain { charset => "UTF-8" }

codec => plain { charset => "UTF-16LE" }

Re: Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Thu, 15 May 2025 18:16:59 GMT

exactly , stopping internal logs at UF level does not work however at logstash level it worked . but yeah via HEC it is not possible it seems so far . Still waiting for others to respond may be we crack something amazing here collectively 🙂 . Thank you for response though

Re: Can I send windows security logs using UF over HTTP to Logstash ?

vikas_gopal — Thu, 15 May 2025 18:19:01 GMT

so I tried this but end up with same problem
UF--> HF(routing) --> LS( writing to a file)

httpout is definitely not working/supported for logstash .

Re: Can I send windows security logs using UF over HTTP to Logstash ?

PickleRick — Thu, 15 May 2025 18:23:38 GMT

You can make events generated by local inputs be sent to just one output group. But that will not be pretty.

You need to set _TCP_ROUTING key for each input stanza that you want to selectively manage. That means adding this to every single Splunk's own input. I'd just create a separate app and create inputs.conf in that app containing just this one setting per each input stanza.

EDIT: And one more thing - you cannot use both tcpout and httpout at the same time.

Re: Can I send windows security logs using UF over HTTP to Logstash ?

PickleRick — Thu, 15 May 2025 18:26:23 GMT

It's not that httpout is not supported for logstash, it's that logstash cannot do s2s. 😉

Yes, it is confusing but despite sharing some of the low-level mechanics, s2s over http (which is httpout) has nothing to do with "normal HEC" .