hi team
i always work with the Add-On "splunk for windows" for monitoring security events, it always brings me the data with "sourceytpe=WinEventLog:Security", but i don't know if the last version changes the sourcetye by wineventlog, i attached a picture with example, i need to have the "Sourcetype=WinEventLog:Security" with my data
I am not sure which version TA you're using. I found below in props.conf in default directory of Splunk_TA_windows version 5.0.0. More about renaming sourcetypes.
## To provide backward compatibility for WinEventLog and XmlWinEventLog data
## These will be deprecated in future
[WinEventLog:Security]
rename = wineventlog
If your props.conf have the above attribute, then comment rename
command (and restart splunk) OR try renaming wineventlog
to WinEventLog:Security
in props.conf under local directory to see if this solves your problem.
I am not sure which version TA you're using. I found below in props.conf in default directory of Splunk_TA_windows version 5.0.0. More about renaming sourcetypes.
## To provide backward compatibility for WinEventLog and XmlWinEventLog data
## These will be deprecated in future
[WinEventLog:Security]
rename = wineventlog
If your props.conf have the above attribute, then comment rename
command (and restart splunk) OR try renaming wineventlog
to WinEventLog:Security
in props.conf under local directory to see if this solves your problem.