https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555705#M92029 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235199">@Gene</a>&nbsp;</P><P><SPAN>Docs says, with renderXml=true option you would see xmlwineventlog sourcetype.&nbsp; if you make it false the sourcetype would switch to classic mode.</SPAN></P><P><SPAN>Previous versions of the Splunk Add-on for Windows collected&nbsp;</SPAN>WinEventLog<SPAN>&nbsp;data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all&nbsp;</SPAN>WinEventLog<SPAN>&nbsp;data collection inputs in XML mode.</SPAN></P><P><SPAN>Refer -&nbsp;<A href="https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Upgrade#Change_WinEventLog_collection_mode" target="_blank" rel="noopener">Upgrade the Splunk Add-on for Windows - Splunk Documentation</A>&nbsp;having detailed info.</SPAN></P><P><SPAN>----</SPAN></P><P><SPAN>An upvote would be appreciated if it helps!</SPAN></P> Tue, 15 Jun 2021 01:09:14 GMT venkatasri 2021-06-15T01:09:14Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555659#M92015 <P>Dear Splunkers, I have a question regarding AD data input. Can you please advise on what sourcetype and source of events is correct one?</P><P>I have installed UF and created input - data came from WinEventLog:Security source. Then I installed Addon for Microsoft and created blacklists in inputs.conf file and pushed it to UF. After that modification I receive events from XmlWinEventLog:SecurityI was trying to figure out which one is correct but had no luck to find clear answer.<BR />My inputs.conf</P><P>[WinEventLog://Security]<BR />disabled = 1<BR />start_from = oldest<BR />current_only = 1<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5</P><P>renderXml=true<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"</P> Mon, 14 Jun 2021 13:57:06 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555659#M92015 Gene 2021-06-14T13:57:06Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555705#M92029 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235199">@Gene</a>&nbsp;</P><P><SPAN>Docs says, with renderXml=true option you would see xmlwineventlog sourcetype.&nbsp; if you make it false the sourcetype would switch to classic mode.</SPAN></P><P><SPAN>Previous versions of the Splunk Add-on for Windows collected&nbsp;</SPAN>WinEventLog<SPAN>&nbsp;data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all&nbsp;</SPAN>WinEventLog<SPAN>&nbsp;data collection inputs in XML mode.</SPAN></P><P><SPAN>Refer -&nbsp;<A href="https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Upgrade#Change_WinEventLog_collection_mode" target="_blank" rel="noopener">Upgrade the Splunk Add-on for Windows - Splunk Documentation</A>&nbsp;having detailed info.</SPAN></P><P><SPAN>----</SPAN></P><P><SPAN>An upvote would be appreciated if it helps!</SPAN></P> Tue, 15 Jun 2021 01:09:14 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555705#M92029 venkatasri 2021-06-15T01:09:14Z https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555733#M92040 <P>Thanks. That's what I was looking for!</P> Tue, 15 Jun 2021 07:23:44 GMT https://community.splunk.com/t5/Getting-Data-In/WIndows-Active-Directory-sourcetypes/m-p/555733#M92040 Gene 2021-06-15T07:23:44Z