Splunk Search

Can splunk listen to ETW?

some_user
Explorer

Can splunk listen to events written to ETW the way the new Semantic Logging application block can?

Tags (2)

gmelnik_splunk
Splunk Employee
Splunk Employee

There's a SLAB sink for Splunk now: http://www.nuget.org/packages/Splunk.Logging.SLAB/
For more info, see this blog post.

barakreeves
Splunk Employee
Splunk Employee

As you probably already know, the Windows Event Log is built on top of ETW...needless to say, ETW has been around for a long time. For most of these type of technologies, ETW requires a registered provider (such as an application) and a consumer. Obviously, if the ETW is writing to the Event Log, then it is easy for Splunk to consume. What if it is not? In that case you have a couple options:

1- use the logman command
2- Powershell(?)/ C#: you will need to hack some code together to consume the data and forward it to Splunk.

Feel free to describe more about you use case and hopefully we can help you out further.

halr9000
Motivator

Here is a blog post with logman examples as well as links to other tools: http://blogs.msdn.com/b/oanapl/archive/2009/08/05/etw-event-tracing-for-windows-what-it-is-and-usefu...

I think that a complete answer to this question should have samples that work with Splunk.

0 Karma

barakreeves
Splunk Employee
Splunk Employee

Maybe I was not clear and I apologize for that. The answer is, yes Splunk can get data from ETW. However, as you stated from one of your comments, there has to be listeners configured. Splunk can do that. It's done all the time. If the data is human readable, or made to be human readable, the data can be Splunked. Here is a reference to a doc. http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Setupcustominputs

My suggestion is to start playing with Splunk. It is very flexible and agile...even for Windows app and os monitoring.

0 Karma

some_user
Explorer

In case I was not clear with my original question -- I realize that Splunk can consume flat files and windows event log. From your responses (and thanks for taking time to answer) I understand that Splunk cannot listen to ETW. That is all I wanted to know. It would be great if anyone from Splunk could confirm it.

0 Karma

barakreeves
Splunk Employee
Splunk Employee

In this case you have 2 options: send the data to a syslog for consumption and get Splunk to grab it from there; the other option is to have Splunk read the Event Log. This will save coding time.

Yes, you will need to install a forwarder on your Windows machine but the impact is very minimal especially for something like this.

Also, search on this forum to see the impact from other users forwarders consume. Most of the answers are being answered by non-Splunk employees.

0 Karma

some_user
Explorer

I'm not at all familiar with Splunk in detail. I hoped it was more than just listening to file system and then parsing those files.

AFAIK ETW does not write anywhere unless there are listeners capturing. So I have listeners that hear and write to files and windows Event Log. For that I have to explicitly run a windows service and implement and configure eventlog listener. Splunk in turn listening to what I produce would be an overhead. I hoped Splunk could go directly, the way PerfView can, for example.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...