All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs source and sourcetype names in Universal Forwarder Version 6.0 (Windows Server 2003 SP2 x86)

andreasz
Path Finder
‎10-15-2013 03:14 AM

Apparently the source and sourcetype names changed in UF 6.0.

Old name: WinEventLog:Application

New name: WinEventLog:application

The same applies to System and Security Logs.

According to props.conf.spec: "By default, [source::] and [] stanzas match in a case-sensitive manner"

All the props.conf stanzas (Event filtering) don't match any more.

Here my input.conf definition on the forwarder:

default:
[WinEventLog://Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

[WinEventLog://System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

UF Version: splunkforwarder-6.0-182611-x86-release.msi

Regards,

Andreas

UPDATE

My Workaround

On Indexer:

transform.conf

[rename_sourcetype_WinEventLog:application]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:application

FORMAT = sourcetype::WinEventLog:Application

[rename_sourcetype_WinEventLog:security]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:security

FORMAT = sourcetype::WinEventLog:Security

[rename_sourcetype_WinEventLog:system]

SOURCE_KEY = MetaData:Sourcetype

DEST_KEY = MetaData:Sourcetype

REGEX = sourcetype::WinEventLog:system

FORMAT = sourcetype::WinEventLog:System

[rename_source_WinEventLog:application]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:application

FORMAT = source::WinEventLog:Application

[rename_source_WinEventLog:security]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:security

FORMAT = source::WinEventLog:Security

[rename_source_WinEventLog:system]

SOURCE_KEY = MetaData:Source

DEST_KEY = MetaData:Source

REGEX = source::WinEventLog:system

FORMAT = source::WinEventLog:System

props.conf:

[WinEventLog:security]

TRANSFORMS-rename_source = rename_source_WinEventLog:security

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:security

[WinEventLog:application]

TRANSFORMS-rename_source = rename_source_WinEventLog:application

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:application

[WinEventLog:system]

TRANSFORMS-rename_source = rename_source_WinEventLog:system

TRANSFORMS-rename_sourcetype = rename_sourcetype_WinEventLog:system

Update 30.10.2013:

the problem occurs on Windows Server 2003 SP2 x86.
I could not recreate it on Windows Server 2008R2

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎08-02-2014 10:43 AM

This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues

It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...