All Apps and Add-ons

Different sourcetype naming: Splunk 7.2.4 and 8.* or is it the Heavy Forwarder?

afx
Contributor

Hi,
all our UF and HF use the following for the Windows input:

[WinEventLog://Security]
sourcetype=XmlWinEventLog:Security
renderXml=1
...

All UF and the cluster is Splunk 7.2.4.2
I recently installed a few HF and there used the latest Splunk Code: 8.0.2

My 7.* UF arrive with the following source type and source:

XmlWinEventLog:Security  XmlWinEventLog

My 8.* HF arrive instead with:

WinEventLog:Security xmlwineventlog

Any Ideas what's going wrong?

I have the Splunk_TA_windows installed on the Search Head which renames all the source types, but that of course applies to all win source types. But it looks like the source type renaming only applies for the HF and it still does not explain why the source is changed as well.

thx
afx

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Verify that props.conf on your 8.* HF's is owned by splunk:splunk. Also, any change to props.conf requires cycling the Splunk daemon to take effect.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

afx
Contributor

My 8.* forwarder runs on Windows as local:system.
There is no props.conf for the windows event log on the box. Just an input like on all other windows boxes.

cheers
afx

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...