topic Re: Index Windows log evtx in Reporting

Index Windows log evtx

kalianov — Tue, 29 Sep 2020 13:05:01 GMT

Hi guys!
I have a free Splunk server which installed on Windows 2012 and
I want to index and analyze Security.evtx file, which I download from remote user's PC (Windows7).
I tried to add this stanzas to index.conf and reboot splunk server, but no information were indexed:
I can't use forwarder, it's a one-time need.
Var1
[WinEventLog://C:\temp\Security.evtx]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

Var2: If I open my "Security.evtx" file in Event Viewer, it's opened in "Saved Logs-Security" tree thats why I tried this:
[WinEventLog://Saved Logs/Security]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

No results.

Re: Index Windows log evtx

jkat54 — Wed, 01 Mar 2017 15:28:12 GMT

You have to open the event log in your event viewer on your local machine and then export it as csv and then you can use the add data wizard in Splunk.

Re: Index Windows log evtx

kalianov — Thu, 02 Mar 2017 07:12:26 GMT

Thanks for your advice. This is the right solution, but the task is to do it without conversion.

Re: Index Windows log evtx

jkat54 — Thu, 02 Mar 2017 13:07:37 GMT

You can't. You either put a forwarder on the machine to read the data where it is being generated, pull the data from another windows machine running Splunk via WMI input, or you do the conversion.