topic Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF) in Getting Data In

Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

Anit_Mathew — Wed, 08 Oct 2025 05:20:03 GMT

Hi team,
Is there any way to onboard legacy windows (XP, Server 2000) logs to Splunk, without UF? Specifically non domain devices.

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

isoutamo — Wed, 08 Oct 2025 07:41:32 GMT

If you really need to use those and need logs into splunk, I suppose that you need to do some scripting or programming for that. Just read those logs with your script/program and then send those via Splunk HEC into indexers.

https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/

told more how to use HEC.

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

PickleRick — Wed, 08 Oct 2025 07:45:38 GMT

1. Welcome to the Archaeology department 😉

2. Do you want to onboard static evt file or do you by any chance have a still running w2k/wxp instances and want to onboard "running logs"?

Static files might work with windows-based UF (but I never remember the right configuration for it - you have to search).

If you have a still operational ancient windows boxes... there are the same general options with any more modern windows but they might be more tricky to get right (at all).

a. Use an UF. But you said you don't want a UF and you might not get a sufficiently old UF which would still be compatible with modern Splunk receiving environment (the oldest UFs I worked with were 6.6 and they might have had no support for such old windows already; I doubt you can even get older forwarders, let alone making them work with Splunk 9+).

b. Query your windows from remote machine with UF by WMI - that might again be very tricky (if possible at all) with such old Windows. And for this you'd need your machines to be domain-joined.

c. Use Windows Event Forwarding. Well, this actually is not available for you as I believe this feature was introduced later - 2003 server/Vista.

d. Use any third-party tool to dump the event log and write it to a text file or send via syslog. This is the worst possible method of ingesting windows logs. Even if you ingest the data this way it will be in a completely unusual format and you'll need to put in huge amount of time to make it readable/parseable and so on.

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

gcusello — Wed, 08 Oct 2025 07:45:41 GMT

Hi @Anit_Mathew ,

I don't know if it's permitted in you infrastructure, but you could try to use WMI https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.1/get-windows-data/monitor-data-through-windows-management-instrumentation-wmi

I usually avoid to use WMI but in this case, maybe is the easiest solution.

Ciao.

Giuseppe

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

thahir — Wed, 08 Oct 2025 07:47:20 GMT

@Anit_Mathew ,

My suggestion is You can deploy the Snare agent on the legacy Windows hosts (e.g., Windows XP/Server 2000) to forward Event Logs to a centralized syslog server. On that syslog server, run a Splunk Universal Forwarder (UF) to monitor the syslog files and securely forward them to Splunk for indexing and analysis.

Flow: Snare (legacy windows host) → Syslog server (file storage/rotation) Splunk UF → Splunk indexers.

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

isoutamo — Wed, 08 Oct 2025 07:49:20 GMT

One old answers where is instructions how to read Windows evtx exports in linux.

https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-systems/m-p/649515

Re: Legacy windows (XP, Server 2000) log onboarding to Splunk (without UF)

PickleRick — Wed, 08 Oct 2025 12:43:53 GMT

Yes, but I'm not sure if it will work with EVT files (not EVTX!)