topic Re: Monitor evtx log in Monitoring Splunk

Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 13:44:28 GMT

Hi Guys

I need to drag a evtx log from %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService.evtx

This needs to show all the indivdual print jobs/ info

This needs to be completed in a conf file, currently looking like this -

[WinEventLog://C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational.evtx
disabled = false
sourcetype = printname

currently the results look a little like this -

x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

Can anyone help me please ?

Re: Monitor evtx log

MuS — Thu, 03 Apr 2014 13:52:53 GMT

Hi AaronMoorcroft,

could it be that you have set a TCP input port in inputs.conf on the indexer like this:

[tcp://any TCP Port]

...should be instead :

[splunktcp://9997]

The indexer is receiving cooked data on a TCP port configured to receive uncooked data. Port 9997 is the default port for Splunk to receive cooked data.

cheers, MuS

Re: Monitor evtx log

lukejadamec — Thu, 03 Apr 2014 13:53:04 GMT

Is this log file being read on the machine that produced it?

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 13:55:09 GMT

Hi Luke,

no the the file is on a different server and is being forwarded with the universal forwarder to our main indexer

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 13:56:06 GMT

No i have no setup like that within the inputs file other than the default host name

Re: Monitor evtx log

MuS — Thu, 03 Apr 2014 14:01:50 GMT

how did you setup receiving on the indexer in this case? Since you are forwarding this from an universal forwarder?

Re: Monitor evtx log

MuS — Thu, 03 Apr 2014 14:07:08 GMT

you could try the CHARSET option in props.conf on the forwarder or read this http://answers.splunk.com/answers/83790/how-do-i-remove-x00-characters-from-my-log-message

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 14:08:05 GMT

All events would be sent via 9997 from all our lets call them mini forwarders onto lets call it our main forwarder and that then onto the indexer.

this is working perfectly well for all other logs and configs that are set up, I suspect this is somthing to do with this being an evtx file

Re: Monitor evtx log

lukejadamec — Thu, 03 Apr 2014 14:16:56 GMT

With windows logs, they need to be read on the same version of windows as the system that created the log file. If you try to read an evtx file on a w2k3 server, you'll probably get data like you have.

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 14:19:08 GMT

ok that would make perfect sense but in that case how do the regular event logs work as they are fine ??

very confusing

Re: Monitor evtx log

lukejadamec — Thu, 03 Apr 2014 14:25:04 GMT

What do you mean by regular?

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 14:26:14 GMT

Application
Security
System

Re: Monitor evtx log

lukejadamec — Thu, 03 Apr 2014 14:37:56 GMT

If they are evtx, and they are being read on w2k3 without issue then that is a good question. I did not think that was possible. See the bottom of this doc:
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/MonitorWindowsdata

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 14:46:39 GMT

I may have found a way around this, ill post back when an answer, maybe tomorrow now though, what im thinking is move the specific logs from that event log into the system event log...

Re: Monitor evtx log

AaronMoorcroft — Thu, 03 Apr 2014 16:30:35 GMT

Not sure if everyone would class this as an answer however I have managed to find a work around that may work for someone else out there.

So in Server 08 I guess not all events are automagically logged in either System, Application or Security the 3 main places you look for your logs (yes i know there are a few others)

anyway when enabling the printer logs this goes into a seperate location altogeather see the loaction listed in the initial question, basically what I have done is changed the properties of that log location to point to the System log location, in doing this it duplicates the logs, the logs will continue to go to the original location and there will then also be a copy put into in this case the system log too.

for me this has resolved my problem as splunk was picking up logs from the 3 main locations but not the other...

thanks for your help Luke and Mus.

Re: Monitor evtx log

AaronMoorcroft — Mon, 28 Sep 2020 16:21:07 GMT

Just as a follow up the answer above worked hoever only spradically, very on and off, finally manged to get it working with the below in the conf file -

[WinEventLog:Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0

initially this wouldnt work but after a few hours and a couple of splunk service restarts it all came to life.

Re: Monitor evtx log

jeubank12 — Sun, 19 Apr 2015 16:19:25 GMT

Splunk will show a sourcetype of preprocess-winevt on the preview screen while giving you the raw file output. This is normal. Click through all the rest of the adding data prompts and then splunk will send the files through the correct processor to index the events

Re: Monitor evtx log

Sarmbrister — Wed, 16 Sep 2015 20:59:04 GMT

I am currently having this same issue. Were you able to solve the problem? I have changed my CHARSET=UTF-16LE on my UF and no luck. Really looking for an answer on this one.

Re: Monitor evtx log

Sarmbrister — Wed, 23 Sep 2015 00:23:21 GMT

I have been dealing with this same issue for a long time I think i figured out the issue. Since it is windows event logs and they are in binary Splunk might not know how to bring them in unless they are part of the wineventlog configs or the data needs to be in plain text. I am currently working on a script to put the data into plain text then have splunk read that file then delete the plain text file after splunk pulls the data. If successful I'll let you know.

Re: Monitor evtx log

Sarmbrister — Wed, 11 Nov 2015 16:26:45 GMT

I am dealing with the same issue. One of two things might work for this.

1. When you run a search use this rex command. index= | rex mode=sed "s/\\x..//g" (This will remove all of the null data or anything that has \x and any two characters after it.
2. If you are continuing to index from the source then set up a transforms.conf file and set up the props.conf. regex to use s/\\x..//g

I set up the transforms.conf file and am currently waiting on data to flow through to determine if it is working.

Transforms.conf: http://docs.splunk.com/Documentation/Splunk/6.1/admin/Transformsconf

Props.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Hope this helps.