Solved: Sourcetype WinEventLog:Security

evinasco · ‎08-21-2018

hi team

i always work with the Add-On "splunk for windows" for monitoring security events, it always brings me the data with "sourceytpe=WinEventLog:Security", but i don't know if the last version changes the sourcetye by wineventlog, i attached a picture with example, i need to have the "Sourcetype=WinEventLog:Security" with my data

sudosplunk · ‎08-21-2018

I am not sure which version TA you're using. I found below in props.conf in default directory of Splunk_TA_windows version 5.0.0. More about renaming sourcetypes.

## To provide backward compatibility for WinEventLog and XmlWinEventLog data
## These will be deprecated in future
[WinEventLog:Security]
rename = wineventlog

If your props.conf have the above attribute, then comment rename command (and restart splunk) OR try renaming wineventlog to WinEventLog:Security in props.conf under local directory to see if this solves your problem.

View solution in original post

sudosplunk · ‎08-21-2018

I am not sure which version TA you're using. I found below in props.conf in default directory of Splunk_TA_windows version 5.0.0. More about renaming sourcetypes.

## To provide backward compatibility for WinEventLog and XmlWinEventLog data
## These will be deprecated in future
[WinEventLog:Security]
rename = wineventlog

If your props.conf have the above attribute, then comment rename command (and restart splunk) OR try renaming wineventlog to WinEventLog:Security in props.conf under local directory to see if this solves your problem.

Sourcetype WinEventLog:Security

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor