topic Re: Can Splunk index Windows Event Log(evt,evtx) files? in Getting Data In

Can Splunk index Windows Event Log(evt,evtx) files?

Ledio_Ago — Sat, 16 Jan 2010 16:39:27 GMT

Windows Server 2003, Windows XP and 2000 generate evt files, where Windows Vista, 2008 Server, Windows 7 generate evtx files. Can Splunk index these files just like any other text file?

Re: Can Splunk index Windows Event Log(evt,evtx) files?

ziegfried — Sun, 17 Jan 2010 18:45:15 GMT

Yes, a Splunk 4 instance running on Windows can index those files. Just add a file monitoring data input and Splunk will decode the event log content. It doesn't work on *nix as far as I know, though.

Re: Can Splunk index Windows Event Log(evt,evtx) files?

jrodman — Wed, 20 Jan 2010 12:09:22 GMT

Well, they aren't text files at all, so the indexing is a bit different than a log file.

It's sensitive to running on windows, and for best results you want to index them on the host which produced them (for example to expand usernames and the like). For reasonable results the dlls which were involved in creating the events should be availble, which typically means indexing Vista-generated events on Vista, and so on.

The configuration necessary to index them should be just like a traditional text log, simply point a monitor input at the file. I haven't checked how the files are recognized -- by name, by content, or otherwise. Does anyone know?

Re: Can Splunk index Windows Event Log(evt,evtx) files?

bchen — Thu, 21 Jan 2010 06:58:05 GMT

Yes. The documentation on how to do this exists here:

http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata

In short, you can add these files as inputs, but be sure that these files are not being written to while splunk reads it. Also, unlike other log files, using the upload function will not work with these files. Splunk will recognize the file by the file extension .evt or .evtx. Since Splunk utilizes native Windows APIs to extract information from these files, you need to run Splunk on windows.

Re: Can Splunk index Windows Event Log(evt,evtx) files?

marcoscala — Tue, 27 Apr 2010 19:05:52 GMT

We've had several problems with this issue. Actually the Splunk docs is a bit misleading on this. The only guaranteed method to index Windows Event Logs events is to define a native input on a Splunk instance -could be a (light)forwarder too- on the same windows machine that generate the Events to index (add for instance a [WinEventLog:Application] stanza in inputs.conf).

As you can see from the last updated docs (http://www.splunk.com/base/Documentation/4.1.1/Admin/MonitorWindowsdata), indexing exported evt data has several limitations, due to the Microsoft proprietary way to generate those .evt files, which embed links to the DLLs used to generate them.

So take care when planning a Splunk deployment were there will be several evt files (or data) to index!

Marco Scala

Re: Can Splunk index Windows Event Log(evt,evtx) files?

nvoitov — Mon, 23 Aug 2010 18:56:35 GMT

Splunk 1.4.1 x64 win32. Splunk can't index evt/evtx files due to binary...why???

Re: Can Splunk index Windows Event Log(evt,evtx) files?

gkanapathy — Mon, 23 Aug 2010 22:17:45 GMT

Please edit and clarify what version of Splunk you're talking about. Better yet, it sounds to me like you have a new question, so you should probably post new, rather than an answer to this one.

Re: Can Splunk index Windows Event Log(evt,evtx) files?

the_wolverine — Thu, 09 Jun 2011 20:46:36 GMT

the posted link is broken.

Re: Can Splunk index Windows Event Log(evt,evtx) files?

rturk — Sun, 15 Jul 2012 15:28:19 GMT

http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata is the latest doco.

Re: Can Splunk index Windows Event Log(evt,evtx) files?

ChrisG — Fri, 21 Dec 2012 22:59:33 GMT

Updated both docs URLs to permanent links

Re: Can Splunk index Windows Event Log(evt,evtx) files?

rmarietan — Fri, 29 Nov 2019 12:08:24 GMT

the link fricking doesn't work!!!!