topic Re: How to import Windows Log files? in Splunk Search

How to import Windows Log files?

Douggg — Fri, 09 Nov 2012 18:13:58 GMT

I'm a new Splunk user so don't dump on me if theis is a dumb quesiton but I can't find any tutorials or how to for Splunk 5.

I have an Microsoft evt and evtx files. (Microsoft log files.) Downloaded and installed Splunk 5, so default install. When I attempt to import the evt and evtx files all I see is what appears to be junk in the preview window.

In looking at instructions for previous versions of Splunk it appears there's an add-in or modules I need to add Microsoft event files. Do I need to do the same with Splunk 5?

Thanks

Re: How to import Windows Log files?

ChrisG — Fri, 09 Nov 2012 18:35:07 GMT

Just to start...did you read Monitor Windows event log data in the Getting Data In Manual? Considerations for deciding how to monitor remote Windows data is worth looking at as well if you have a significant number of Windows hosts.

Re: How to import Windows Log files?

Kate_Lawrence-G — Fri, 09 Nov 2012 18:39:31 GMT

The issue is that evt/evtx files are binary and can't be imported natively to Splunk.

You can install Splunk for Windows if you are using a full Splunk installation and that will allow some support for indexing the events from event viewer. Or if you have the universal forwarder installed you can configure windows scripted inputs to capture events from the events viewer and forward them to Splunk.

-kate