topic Re: Retrieving Windows Event logs with hyphens in the name in Getting Data In

Retrieving Windows Event logs with hyphens in the name

torowa — Thu, 14 Mar 2019 23:09:01 GMT

Hi Splunkers.
I am trying to retrieve Windows event logs from and endpoint using a universal forwarder.
Having problems doing this where the log location contains a hyphen in the path/name.

Normally, to access a log located in the Events such as: --> Microsoft --> Windows --> AppLocker --> EXE and DLL
one would use [WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] in the inputs.conf

... The "-" in the WinEventLog stanza heading is used as the path separator, not unlike a "/" in a pathname.

The problem I am having is where the paths or the actual name of a particular log contains a "-".
For example, for a path such as --> Microsoft --> Windows --> BitLocker-API --> Management, how do you escape the "-" in the WinEventLog:// stanza so that Splunk interprets the "-" as part of "Bitlocker-API", and not the path separator.

Is there any special handing needed to escape the "-" for in to be interepreted correctly?
Have tried many combinations and escaping this with a "\" but had no luck. The log is never retrieved.

Have tried this with a custom path without a "-" in the name and it works as expected. Creating an identical custom log with a "-" in the name/path does not retrieve the log.

Cheers.

Re: Retrieving Windows Event logs with hyphens in the name

kmower — Fri, 15 Mar 2019 03:33:58 GMT

Can you post your [monitor] stanza from inputs.conf for that path?

Re: Retrieving Windows Event logs with hyphens in the name

torowa — Fri, 15 Mar 2019 03:44:30 GMT

For example...

This one works:
[WinEventLog://Microsoft-Windows-BranchCache/Operational]

The actual log itself is called "Operational".

... however trying to access --> Microsoft -> Windows -> BitLocker-API -> Management doesn't work (Note that one of the path segments is "BitLocker-API"

I suspect this one doesn't work as Splunk would see "Bitlocker" and "API" as being different segments of the path:
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]

I've tried escaping the "-" with an escape both of these:
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]

but have been unable to pull the events successfully.

Re: Retrieving Windows Event logs with hyphens in the name

torowa — Fri, 15 Mar 2019 03:51:05 GMT

I have tried all these variants:

WinEventLog://Microsoft-Windows-BitLocker-API/Management

Also have tried varying forms of escaping the "-" between BitLocker and API:

[WinEventLog://Microsoft-Windows-BitLocker-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]

None of these seemed to do the trick....

Re: Retrieving Windows Event logs with hyphens in the name

torowa — Fri, 15 Mar 2019 05:06:45 GMT

o.k..Got it.... For others chasing this, seems the Log names displayed in the tree view of Event Viewer are not necessarily what they are called.
Best way to get the string for the WinEventLog stanza is to use Event Viewer and click on the properties of the log.
"Full Name" field will give you the name needed in the stanza.

For example, browsing the Event viewer the BitLocker log displays under the following path:
Microsoft -> Windows -> BitLocker-API -> Management.

"Microsoft-Windows-BitLocker/BitLocker Management" is how it show up under properties (note the "-API" part is missing).

Thanks for looking...

Re: Retrieving Windows Event logs with hyphens in the name

richgalloway — Fri, 15 Mar 2019 14:26:02 GMT

@torowa If your problem is resolved, please accept an answer to help future readers.

Re: Retrieving Windows Event logs with hyphens in the name

nickhills — Fri, 15 Mar 2019 14:36:32 GMT

Great job solving your own problem. You should accept your own answer, so that others searching in the future know you resolved it.
Good Luck.