topic Re: Field extrations from XmlWinEventLog in Splunk Search

Field extrations from XmlWinEventLog

hcpr — Thu, 11 May 2017 08:58:16 GMT

Hi,
I've been trying to find a good solution to extract fields from some XML windows event logs.
For instance sourcetype="xmlwineventlog:microsoft-windows-base-filtering-engine-connections/operational"

A record from this might look like this:

<?xml version="1.0"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Base-Filtering-Engine-Connections" Guid="{guid removed}"/>
    <EventID>2001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-05-11T08:31:38.735136100Z"/>
    <EventRecordID>1173869</EventRecordID>
    <Correlation/>
    <Execution ProcessID="1152" ThreadID="9924"/>
    <Channel>Microsoft-Windows-Base-Filtering-Engine-Connections/Operational</Channel>
    <Computer>hostname.removed</Computer>
    <Security UserID="removed"/>
  </System>
  <EventData>
    <Data Name="ConnectionId">13138485797994339311</Data>
    <Data Name="MachineAuthenticationMethod">4</Data>
    <Data Name="RemoteMachineAccount">remote, machine, account, removed</Data>
    <Data Name="UserAuthenticationMethod">5</Data>
    <Data Name="RemoteUserAcount">domain\user</Data>
    <Data Name="RemoteIPAddress">IPv6addr removed</Data>
    <Data Name="LocalIPAddress">local IPv6addr removed</Data>
    <Data Name="TechnologyProviderKey">{1BEBC969-61A5-4732-A177-847A0817862A}</Data>
    <Data Name="IPsecTrafficMode">1</Data>
    <Data Name="BytesTransferredInbound">10128</Data>
    <Data Name="BytesTransferredOutbound">10528</Data>
    <Data Name="BytesTransferredTotal">20656</Data>
    <Data Name="StartTime">2017-05-11T08:30:03.155Z</Data>
    <Data Name="CloseTime">2017-05-11T08:31:38.724Z</Data>
  </EventData>
</Event>

In this case it is the <Data name="whatever">blah>/Data> fields that are most interesting to extract.
I've tried KV_MODE=xml, but that does not parse anything, neither does xmlkv, which perhaps isn't a surprise.

So any suggestions on the easiest way to parse this? I'd prefer not to have to manually define the fields, since there are several different sourcetypes I need to do this for.

Thanks

Re: Field extrations from XmlWinEventLog

adayton20 — Thu, 11 May 2017 09:44:03 GMT

You might try renderXml=true in your inputs.conf file beneath the stanza for that sourcetype, under the app you're working with.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Re: Field extrations from XmlWinEventLog

hcpr — Thu, 11 May 2017 10:29:05 GMT

I forgot to mention that .
I have renderXML=true in the inputs. So I get the XML data, just looking for the best way to extract all the fields automatically.

Re: Field extrations from XmlWinEventLog

adayton20 — Thu, 11 May 2017 16:01:48 GMT

Hmm, the Splunk Add on for Windows contains field extractions for Windows-based XML logs in both the props and transforms. Are you using this app? https://splunkbase.splunk.com/app/742/

Re: Field extrations from XmlWinEventLog

hettervik — Fri, 09 Feb 2018 12:15:55 GMT

Did you find any solution to this? I'm using the TA for Windows, which collects XmlWinEventLog with renderXml=true and does a lot of report stuff in props.conf, but still there are no field extractions on the searh head.