https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451426#M78276 <P>A customer has asked me to pick up the following logs:</P> <PRE><CODE>%SystemRoot%\System32\Winevt\Logs\Application.evtx %SystemRoot%\System32\Winevt\Logs\Security.evtx %SystemRoot%\System32\Winevt\Logs\System.evtx </CODE></PRE> <P>I am trying to figure out how to obtain those and have looked at a number of posts, but I'm not seeing what I'd like to do. Is the following possible? I want to create an inputs file as follows:</P> <PRE><CODE>[WinEventLog://Application] index = Winevt sourceType = Winevt:Application disabled = 0 [WinEventLog://Security] index = Winevt sourceType = Winevt:Security disabled = 0 [WinEventLog://System] index = Winevt sourceType = Winevt:System disabled = 0 </CODE></PRE> <P>But how does it know where to go for the actual files I want picked up?<BR /><BR /> Do I need to put in a full path to the logs (for instance d:/windows/events..../application.evtx)?</P> <P>Any assist would be very helpful.</P> Thu, 27 Jun 2019 19:09:22 GMT nls7010 2019-06-27T19:09:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451426#M78276 <P>A customer has asked me to pick up the following logs:</P> <PRE><CODE>%SystemRoot%\System32\Winevt\Logs\Application.evtx %SystemRoot%\System32\Winevt\Logs\Security.evtx %SystemRoot%\System32\Winevt\Logs\System.evtx </CODE></PRE> <P>I am trying to figure out how to obtain those and have looked at a number of posts, but I'm not seeing what I'd like to do. Is the following possible? I want to create an inputs file as follows:</P> <PRE><CODE>[WinEventLog://Application] index = Winevt sourceType = Winevt:Application disabled = 0 [WinEventLog://Security] index = Winevt sourceType = Winevt:Security disabled = 0 [WinEventLog://System] index = Winevt sourceType = Winevt:System disabled = 0 </CODE></PRE> <P>But how does it know where to go for the actual files I want picked up?<BR /><BR /> Do I need to put in a full path to the logs (for instance d:/windows/events..../application.evtx)?</P> <P>Any assist would be very helpful.</P> Thu, 27 Jun 2019 19:09:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451426#M78276 nls7010 2019-06-27T19:09:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451427#M78277 <P>So Splunk doesn't monitor the files but the event log channels itself. You don't want the full path but use the built monitors like you have listed. Documentation on these are available here: <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Inputsconf#Windows_Event_Log_Monitor" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Inputsconf#Windows_Event_Log_Monitor</A>. The add-on Splunk_TA_windows also has an inputs as well as other useful parsing for these logs you can use. That is available here: <A href="https://splunkbase.splunk.com/app/742/" target="_blank">https://splunkbase.splunk.com/app/742/</A>.</P> Wed, 30 Sep 2020 01:04:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451427#M78277 mdsnmss 2020-09-30T01:04:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451428#M78278 <P>Splunk knows where to find the event logs. Set the stanza name to <CODE>WinEventLog://Application</CODE>, <CODE>WinEventLog://Security</CODE>, or <CODE>WinEventLog:System</CODE> and Splunk will do the rest.</P> <P>BTW, the conventional name for the Windows event sourcetypes is <CODE>WinEventLog:*</CODE>. Other names are allowed, but apps that process Windows events may not work without modification.</P> Thu, 27 Jun 2019 20:28:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451428#M78278 richgalloway 2019-06-27T20:28:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451429#M78279 <P>See link below for walkthough<BR /> <A href="https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html" target="_blank">https://www.cloud-response.com/2019/07/importing-windows-event-log-files-into.html</A></P> <P>Key is to monitor evtx files using the special preprocess-event sourcetype on a windows instance of Splunk. </P> <P>Takeaways:<BR /> 1. Copy evtx to spare windows server<BR /> 2. Load as many services as possible for known content (IE if evtx for AD load AD etc)<BR /> 3. Install Splunk <BR /> 4. Monitor directory with evtx files</P> <P><STRONG>NOTE</STRONG><BR /> I did this on a Windows EC2 instance successfully, stopped Splunk on Windows EC2 instance and then copied the following over to my test instance of Splunk on my Mac to faster / more direct access to the parsed evtx:<BR /> SPLUNK_HOME/var/lib/splunk/wineventlog<BR /> SPLUNK_HOME/var/lib/splunk/wineventlog.dat</P> Wed, 30 Sep 2020 02:33:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-capture-Windows-evtx-files/m-p/451429#M78279 tnesavich_splun 2020-09-30T02:33:47Z