https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359605#M65614 <P>Hi @ddrillic, Following up on my previous answer after more research. @ppablo and @aaraneta helped me look through several other related inquiries and the documentation on Splunk Docs, and unfortunately it looks like the original evtx files can't be uploaded in this way as you requested due to the proprietary nature of the evtx files. You can read more from the answers to these questions here: <A href="https://answers.splunk.com/topics/evtx.html">https://answers.splunk.com/topics/evtx.html</A> </P> <P>We have a pretty active public Slack chat if you'd like to reach out there for more info or to see if an active user has found a workaround. You first have to request access through <A href="http://splk.it/slack">http://splk.it/slack</A>. Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.</P> Tue, 08 Aug 2017 23:01:22 GMT lfedak_splunk 2017-08-08T23:01:22Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359601#M65610 <P>We are trying to upload the Administrative Events.evtx file via the Add Data interface. However, the interface doesn't seem to provide the option to treat the file as a Windows events log file.</P> <P>We see - </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3339i7520DA6C4BBE16C1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Any ideas?</P> Tue, 08 Aug 2017 21:29:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359601#M65610 ddrillic 2017-08-08T21:29:40Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359602#M65611 <P>Hey @ddrillic, Here's some documentation on adding this type of file. <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata">http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata</A></P> Tue, 08 Aug 2017 21:54:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359602#M65611 lfedak_splunk 2017-08-08T21:54:34Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359603#M65612 <P>Great, but I would like to <STRONG>upload</STRONG> them as files and not monitor them, which we can't at this point...</P> Tue, 08 Aug 2017 21:56:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359603#M65612 ddrillic 2017-08-08T21:56:42Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359604#M65613 <P>Here are a few Answers links as well: <BR /> Through the interface: <A href="https://answers.splunk.com/answers/528735/how-to-index-exported-evt-and-evtx-files.html">https://answers.splunk.com/answers/528735/how-to-index-exported-evt-and-evtx-files.html</A><BR /> Using a forwarder or using a work-around to change them into csv or text files: <A href="https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html">https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html</A></P> Tue, 08 Aug 2017 21:57:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359604#M65613 lfedak_splunk 2017-08-08T21:57:20Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359605#M65614 <P>Hi @ddrillic, Following up on my previous answer after more research. @ppablo and @aaraneta helped me look through several other related inquiries and the documentation on Splunk Docs, and unfortunately it looks like the original evtx files can't be uploaded in this way as you requested due to the proprietary nature of the evtx files. You can read more from the answers to these questions here: <A href="https://answers.splunk.com/topics/evtx.html">https://answers.splunk.com/topics/evtx.html</A> </P> <P>We have a pretty active public Slack chat if you'd like to reach out there for more info or to see if an active user has found a workaround. You first have to request access through <A href="http://splk.it/slack">http://splk.it/slack</A>. Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.</P> Tue, 08 Aug 2017 23:01:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359605#M65614 lfedak_splunk 2017-08-08T23:01:22Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359606#M65615 <P>Decoding of <CODE>evtx</CODE> files must be done in context of the Windows server where it was generated and upload does not work. For a great explanation, see the answer by @inventsekar here (be sure to UpVote him):<BR /> <A href="https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html">https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html</A></P> Wed, 09 Aug 2017 11:57:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359606#M65615 woodcock 2017-08-09T11:57:54Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359607#M65616 <P>Very kind @woodcock </P> Sun, 13 Aug 2017 00:37:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359607#M65616 ddrillic 2017-08-13T00:37:33Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359608#M65617 <P>Just ran into this same issue, having trouble ingesting these .evtx logs (from Citrix application server). Also read thru the link woodcock provided (<A href="https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html">https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html</A>) and didn't see any clear answer.</P> <P>Using a forwarder to monitor the file, also used the sourcetype=WinEventLog, after installing the Windows TA...but getting the same results as ddrillic. </P> <P>Anyone got more info on how to ingest these logs? Thanks!</P> <P>Joe</P> Fri, 13 Dec 2019 16:41:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359608#M65617 joesrepsolc 2019-12-13T16:41:14Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359609#M65618 <P>I believe that @landen99 @alanden_splunk can shed some light on this.</P> Fri, 13 Dec 2019 17:03:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359609#M65618 woodcock 2019-12-13T17:03:17Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359610#M65619 <P>@joesrepsolc The solution appears fairly complicated, so clarity is not going to be expected when using Splunk to do it. I actually prefer the other answer by @tnesavich for the sake of clarity. But I expect it is much simpler to use the python method, not mentioned in those answers. Have you looked at python-evtx? <A href="https://github.com/williballenthin/python-evtx">https://github.com/williballenthin/python-evtx</A></P> Sat, 14 Dec 2019 15:22:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-upload-an-Administrative-Events-evtx-file/m-p/359610#M65619 landen99 2019-12-14T15:22:34Z