All Apps and Add-ons
Highlighted

I can not find "WinEventLog:Security" on the source type selection screen when uploading data.

Builder

I can not find "WinEventLog:Security" on the source type selection screen when uploading data.
And I can't find it in sourcetype list screen too.

However, the logs have a definite source type definition.

Is this a specification?
Also, if I want to display it on these screens,
Do I need to explicitly create a stanza in props.conf?

I hope someone can tell me.

0 Karma
Highlighted

Re: I can not find "WinEventLog:Security" on the source type selection screen when uploading data.

Influencer

Hey

The reason is that Splunk Add-on for Microsoft Windows is a TA and contains mainly what needs to be installed in the Indexer to properly break events and do other index time operations.

Having that in mind, it appears that WinEventLog:Security is a sourcetype that only needs search time extractions as you can see in the app https://splunkbase.splunk.com/app/1680/.

The Splunk App for Windows Infrastructure yes needs to be installed on the Search Head and actually does those search time extractions, and therefore will get you the sourcetype WinEventLog:Security as an option for uploading data.

To summarize: install Splunk App for Windows Infrastructure in the machine you want to have an option to choose WinEventLog:Security

Let me know if it helps

View solution in original post

0 Karma
Highlighted

Re: I can not find "WinEventLog:Security" on the source type selection screen when uploading data.

Builder

Thank you for answer!

You means that sourcetype WinEventLog:Security is defined as just field sourcetype in index-time if I installed only Splunk Add-on for Microsoft Windows.

Also if I want add search-time settings to sourcetype WinEventLog:Security, I have to install The Splunk App for Windows Infrastructure right?

0 Karma
Highlighted

Re: I can not find "WinEventLog:Security" on the source type selection screen when uploading data.

Influencer

Yes that is correct, it is the safer procedure indeed.

Please accept the answer and upvote if it helped solve your issue

0 Karma