sourcetype for windows event logs

mikefoti — Fri, 30 Dec 2011 13:55:13 GMT

This question deals with identifying fields within events from a windows event log (i.e. the Application, System or Security log) manually exported from the windows EventVwr.

I know I can use a Splunk Universal Forwarder to monitor the logs and forward events for indexing as they occur… but in this case I need to troubleshoot a system that is not forwarding events. So I manually export, for example, the System event log. In doing so I have 3 options. I may export a log and save it as a .evt, a .csv or a .txt file. For testing, I have exported it in all 3 formats. I then used the Splunk UI to Add Inputs. First, when selecting the “sourcetype” I selected Automatic. I then selected From List, and tested csv, csv-2, csv-3, syslog and Log4J. My best results came when indexing the .Txt file using either sourcetype Automatic or Log4J…. but I was surprised to find that none of the combinations automatically identified the windows event Source, Type, Category or event EventID, etc.

So I guess I have 2 questions:

1.What happens behind the scenes when I select from the various sourcetypes available on the Data Inputs screen?
2.Is there a tried and true method for automatically indentifying these basic windows event log fields so next week, when troubleshooting another windows system, I won’t have to re-extract these basic fields?

Re: sourcetype for windows event logs

dart — Fri, 30 Dec 2011 21:37:16 GMT

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

topic Re: sourcetype for windows event logs in Getting Data In

sourcetype for windows event logs

Re: sourcetype for windows event logs