https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514159#M9134 <P>Looking at the wmi.conf file on one of our universal forwarders, I see remote log collection is disabled:</P><LI-CODE lang="markup">[settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 0 checkpoint_sync_interval = 2 ## Pull event logs FROM the local system ## Usually disabled in favor of using WinEventLog inputs [WMI:LocalApplication] interval = 10 event_log_file = Application disabled = 1 [WMI:LocalSystem] interval = 10 event_log_file = System disabled = 1 [WMI:LocalSecurity] interval = 10 event_log_file = Security disabled = 1</LI-CODE> Fri, 14 Aug 2020 16:16:04 GMT gurulee 2020-08-14T16:16:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513778#M9124 <P>We want XML based logs over Non-XML logs, but we are seeing both for some reason. Moreover, if we look at the log messages with source=WinEventLog:Security for example, the sourcetype shows 'xmlwineventlog'. Is this normal/expected behavior or is there some additional tuning we need to do?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-12 15_31_24-Inbox - lseeman@h5.com - Outlook.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10223i4CC4F8A74F1360EE/image-size/large?v=v2&amp;px=999" role="button" title="2020-08-12 15_31_24-Inbox - lseeman@h5.com - Outlook.png" alt="2020-08-12 15_31_24-Inbox - lseeman@h5.com - Outlook.png" /></span></P> Wed, 12 Aug 2020 19:37:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513778#M9124 gurulee 2020-08-12T19:37:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513781#M9125 <P>Check inputs.conf, if you have more than where one says renderXml=true, another says renderXml=false.</P><P>can you also check if you are seeing xml and non-xml events for a same host?</P> Wed, 12 Aug 2020 19:43:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513781#M9125 thambisetty 2020-08-12T19:43:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513996#M9126 <P>There is no '<SPAN>renderXml=false' in our inputs.conf, only 'renderXml=true'</SPAN></P><P><SPAN>No we do not see duplicate events logs for both a single host. What's odd is, we do not see the same log record ID's for 'source = XmlWinEventLog:Security' versus 'source = WinEventLog:Security'. But we are getting logs for both sources...</SPAN></P> Fri, 14 Aug 2020 16:10:54 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/513996#M9126 gurulee 2020-08-14T16:10:54Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514047#M9127 <P>Can you check if you maybe have "Remote event log collections" enabled for this host on one of your Splunk instances? This is one of the reasons why there can be duplicate data..</P> Fri, 14 Aug 2020 08:34:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514047#M9127 MaverickT 2020-08-14T08:34:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514159#M9134 <P>Looking at the wmi.conf file on one of our universal forwarders, I see remote log collection is disabled:</P><LI-CODE lang="markup">[settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 0 checkpoint_sync_interval = 2 ## Pull event logs FROM the local system ## Usually disabled in favor of using WinEventLog inputs [WMI:LocalApplication] interval = 10 event_log_file = Application disabled = 1 [WMI:LocalSystem] interval = 10 event_log_file = System disabled = 1 [WMI:LocalSecurity] interval = 10 event_log_file = Security disabled = 1</LI-CODE> Fri, 14 Aug 2020 16:16:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514159#M9134 gurulee 2020-08-14T16:16:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514195#M9136 <P>You have confirmed that you are not seeing xml and non-xml from same host.</P><P>can you verify inputs.conf pushed to client which is sending xml events and also verify inputs.conf pushed to client which is sending non-xml events?</P><P>I am sure there would be a difference between the inputs used in two different servers.</P> Fri, 14 Aug 2020 19:34:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514195#M9136 thambisetty 2020-08-14T19:34:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514201#M9138 <P>Turns out the cause of this was the windows TA add-on was not installed on all our indexers. This now parses the log "source" as the XML name consistently. It was not duplicating logs.</P><P>Thank you all for the support.</P> Fri, 14 Aug 2020 21:13:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/514201#M9138 gurulee 2020-08-14T21:13:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/536319#M9642 <P>Faced same issue, it was because we sent logs before installing Splunk Add-on For MS Windows on Indexer. Before this Add-on logs were tagged with source=<SPAN>WinEventLogs and after installing this Add-on the logs are tagged with source=xmlWinEventLogs. No duplicate events, just change in source tagging.&nbsp;</SPAN></P> Tue, 19 Jan 2021 11:40:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Seeing-both-WinEventLogs-and-XmlWinEventlogs/m-p/536319#M9642 bansodesant 2021-01-19T11:40:11Z