topic Re: How do I ingest the details tab in Windows Forwarded Events? in Getting Data In

How do I ingest the details tab in Windows Forwarded Events?

devinmclean — Tue, 29 Sep 2020 13:04:19 GMT

I have a server that received forwarded event logs from clients within my Enterprise. The event logs are simple to retrieve via the below standard inputs.conf stanza:

[WinEventLog://ForwardedEvents]
index = redacted
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

When the event logs come into Splunk, they only show EventCode, EventType, ComputerName, User, Sid, SidType, TaskCategory, OpCode, RecordNumber, Keywords, and Message (which is blank). The meat of the log that I need to see is in the details tab (if you're viewing it from Event Viewer in Windows). There's a friendly view and an XML view. Either one of the two detailed views I'd be fine with ingesting. However, Splunk is not ingesting these details. When looking in the XML view, there are two tags within : and . It appears Splunk is only capturing the data and not the that has the meat and potatoes of the log that I need. How do I get this data? I've been doing some searching and found a possible solution using scripted inputs with Wevtutil, but no documentation on how to use that within inputs.conf. I was hoping for an easier solution.

Any help would be greatly appreciated.

Re: How do I ingest the details tab in Windows Forwarded Events?

bmo017 — Tue, 29 Sep 2020 13:03:35 GMT

[WinEventLog://ForwardedEvents]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
index =
renderXml=false

This seems to be working for us if you wanted to give it a shot.

Re: How do I ingest the details tab in Windows Forwarded Events?

JDukeSplunk — Tue, 29 Sep 2020 13:05:45 GMT

We use the Splunk add-on app for Windows. Splunk_TA_Windows.

https://splunkbase.splunk.com/app/742/

With some tweaking. But it is a good inputs, transforms and props.conf. If anything, you can download, extract it and have a peek at the .conf files.

Re: How do I ingest the details tab in Windows Forwarded Events?

devinmclean — Sat, 30 Sep 2017 00:52:28 GMT

It turns out the issue was that our forwarders were version 6.1. We needed to upgrade to at least 6.2 to take full advantage of the render XML feature on the universal forwarder.

Re: How do I ingest the details tab in Windows Forwarded Events?

euroccp — Wed, 25 Jul 2018 09:47:24 GMT

Did you find any solution? Currently experiencing the same issue.

Re: How do I ingest the details tab in Windows Forwarded Events?

richgalloway — Wed, 25 Jul 2018 13:18:36 GMT

@euroccp This question has two answers, one of them accepted. If neither answer helps you, please post a new question describing your problem.