topic How to collect Windows event logs and field extractions without using a universal forwarder? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209073#M61061 <P>In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder. </P> <P>Can you advise what specific app to use or other settings to get the field extractions working?</P> Tue, 29 Sep 2020 07:11:35 GMT hopnscotch 2020-09-29T07:11:35Z How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209073#M61061 <P>In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder. </P> <P>Can you advise what specific app to use or other settings to get the field extractions working?</P> Tue, 29 Sep 2020 07:11:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209073#M61061 hopnscotch 2020-09-29T07:11:35Z Re: How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209074#M61062 <P>You configured the custom field extractions (after your research) on Search Head for your sourcetype windows_snare_syslog, correct? Are you using any in-built dashboard searches which might be referring to different index/sourcetype?</P> Tue, 29 Sep 2020 07:11:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209074#M61062 somesoni2 2020-09-29T07:11:42Z Re: How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209075#M61063 <P>So to be clear.. I haven't done any custom extractions myself as I don't want to spend a ton of time on something that I would assume is already available somewhere.</P> Fri, 11 Sep 2015 12:44:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209075#M61063 hopnscotch 2015-09-11T12:44:14Z Re: How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209076#M61064 <P>The <A href="https://splunkbase.splunk.com/app/742/#/overview">Splunk App-on for Windows</A> has extractions for Snare syslog with a sourcetype of <CODE>Snare:Security</CODE> or <CODE>Snare:Application</CODE> etc.</P> Fri, 11 Sep 2015 13:53:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209076#M61064 dturnbull_splun 2015-09-11T13:53:36Z Re: How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209077#M61065 <P>The add-on is just for the local system, not for remote snare logs coming in. </P> Fri, 11 Sep 2015 19:27:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209077#M61065 hopnscotch 2015-09-11T19:27:51Z Re: How to collect Windows event logs and field extractions without using a universal forwarder? https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209078#M61066 <P>Hi ALL,<BR /> I can not see sourcetype snare:application or snare:security while go installed app splunk-ta-windows.<BR /> this case i go monitoring log file from rsyslog server.<BR /> this here use snare agent send syslog to rsyslog server.<BR /> please clear help me how to parsing this log file windows use format snare agent.<BR /> many thanks your suppott</P> Fri, 26 Jan 2018 08:30:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-collect-Windows-event-logs-and-field-extractions-without/m-p/209078#M61066 thuyentv2591 2018-01-26T08:30:51Z