I can not find "WinEventLog:Security" on the source type selection screen when uploading data.
And I can't find it in sourcetype list screen too.
However, the logs have a definite source type definition.
Is this a specification?
Also, if I want to display it on these screens,
Do I need to explicitly create a stanza in props.conf?
I hope someone can tell me.
The reason is that Splunk Add-on for Microsoft Windows is a TA and contains mainly what needs to be installed in the Indexer to properly break events and do other index time operations.
Having that in mind, it appears that WinEventLog:Security is a sourcetype that only needs search time extractions as you can see in the app https://splunkbase.splunk.com/app/1680/.
The Splunk App for Windows Infrastructure yes needs to be installed on the Search Head and actually does those search time extractions, and therefore will get you the sourcetype WinEventLog:Security as an option for uploading data.
To summarize: install Splunk App for Windows Infrastructure in the machine you want to have an option to choose WinEventLog:Security
Let me know if it helps
Thank you for answer!
You means that sourcetype
WinEventLog:Security is defined as just field
sourcetype in index-time if I installed only
Splunk Add-on for Microsoft Windows.
Also if I want add search-time settings to sourcetype
WinEventLog:Security, I have to install
The Splunk App for Windows Infrastructure right?
Yes that is correct, it is the safer procedure indeed.
Please accept the answer and upvote if it helped solve your issue