Archive
Highlighted

Why am I unable to parse offline windows event logs using Add data via Splunk Web?

Splunk Employee
Splunk Employee

OS version : Windows 10

  1. We want upload a saved windows event logs file (.evtx) to Splunk. Splunk assigned "Preprocess-winevt" source type at the
  2. step (Set Source Type) of "Add Data" procedure. The log was shown not parsed properly. We are not sure how to proceed.

While there is not error reading the input definition, the log was not parsed successfully. The raw event is read as follows.
ElfFile\x00\x00\x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x00\x00\x00\xE0\xFF\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\xA7U\x00\x00\x00\x00\x00\x00\x00....

Tags (1)
0 Karma
Highlighted

Re: Why am I unable to parse offline windows event logs using Add data via Splunk Web?

Splunk Employee
Splunk Employee
  1. As per documentation :https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev... : Files that have been exported from another machine do not work with the Splunk Web Upload feature. This is because those files contain information that is specific to the machine that generated them. Other machines won't be able to process the files in their unaltered form. So the upload feature is not working.

2.Constraints for monitoring Windows Event log files directly
As a result of API and log channel processing constraints on Windows XP and Server 2003 systems, imported .evt files from those systems do not contain the "Message" field. This means that the contents of the "Message" field do not appear in your Splunk index.
Splunk Enterprise on Windows XP and Windows Server 2003/2003 R2 cannot index .evtx files exported from systems running Windows Vista and later or Windows Server 2008/2008 R2 and later.
Splunk Enterprise on Windows Vista and later and Server 2008/2008 R2 and later can index both .evt and .evtx files.
If your .evt or .evtx file is not from a standard event log channel, you must make sure that any dynamic link library (DLL) files required by that channel are present on the computer on which you are indexing.
Splunk Enterprise indexes an .evt or .evtx file in the primary locale/language of the computer that collects the file.

You can check/find the constraints at https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev....

Detailed Steps on how to get monitor the exported evtx/windows event logs on other windows server :

I tested the below steps in my lab environment and they work perfectly fine. I am able to export windows events logs and copy to another server and monitor it. I was able see the events getting indexed and I was able see parsing was working as expected.

  1. I installed two windows servers with same version ( OS Windows server2012)

Source host on which I exported the events :ip-OACA0965

  1. I installed Splunk software on second host : ip-0ACA0DBF and setup inputs.conf to monitor the exported files.

On ip-0ACA0DBF : under updated $SPLUNK_HOME/etc/system/local/inputs.conf as below

Stanza : Copied exported sourceevents.evtx from ip-OACA0965 to ip-0ACA0DBF
[monitor://C:/sourceevents.evtx]
queue = winparsing
crcSalt =

whitelist=.evtx$

I copied sourceevents.evtx to C:/ on ip-0ACA0DBF server.

  1. Restart Splunk service and I am able to see the exported windows event logs indexed and was able to search the data successfully.
0 Karma
Highlighted

Re: Why am I unable to parse offline windows event logs using Add data via Splunk Web?

Splunk Employee
Splunk Employee
  1. As per documentation :https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev... : Files that have been exported from another machine do not work with the Splunk Web Upload feature. This is because those files contain information that is specific to the machine that generated them. Other machines won't be able to process the files in their unaltered form. So the upload feature is not working.

2.Constraints for monitoring Windows Event log files directly
As a result of API and log channel processing constraints on Windows XP and Server 2003 systems, imported .evt files from those systems do not contain the "Message" field. This means that the contents of the "Message" field do not appear in your Splunk index.
Splunk Enterprise on Windows XP and Windows Server 2003/2003 R2 cannot index .evtx files exported from systems running Windows Vista and later or Windows Server 2008/2008 R2 and later.
Splunk Enterprise on Windows Vista and later and Server 2008/2008 R2 and later can index both .evt and .evtx files.
If your .evt or .evtx file is not from a standard event log channel, you must make sure that any dynamic link library (DLL) files required by that channel are present on the computer on which you are indexing.
Splunk Enterprise indexes an .evt or .evtx file in the primary locale/language of the computer that collects the file.

You can check/find the constraints at https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev....

Detailed Steps on how to get monitor the exported evtx/windows event logs on other windows server :

I tested the below steps in my lab environment and they work perfectly fine. I am able to export windows events logs and copy to another server and monitor it. I was able see the events getting indexed and I was able see parsing was working as expected.

  1. I installed two windows servers with same version ( OS Windows server2012)

Source host on which I exported the events :ip-OACA0965

  1. I installed Splunk software on second host : ip-0ACA0DBF and setup inputs.conf to monitor the exported files.

On ip-0ACA0DBF : under updated $SPLUNK_HOME/etc/system/local/inputs.conf as below

Stanza : Copied exported sourceevents.evtx from ip-OACA0965 to ip-0ACA0DBF
[monitor://C:/sourceevents.evtx]
queue = winparsing
crcSalt =

whitelist=.evtx$

I copied sourceevents.evtx to C:/ on ip-0ACA0DBF server.

  1. Restart Splunk service and I am able to see the exported windows event logs indexed and was able to search the data successfully.
0 Karma
Highlighted

Re: Why am I unable to parse offline windows event logs using Add data via Splunk Web?

Splunk Employee
Splunk Employee

As per documentation :https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev... : Files that have been exported from another machine do not work with the Splunk Web Upload feature. This is because those files contain information that is specific to the machine that generated them. Other machines won't be able to process the files in their unaltered form. So the upload feature is not working.

2.Constraints for monitoring Windows Event log files directly
As a result of API and log channel processing constraints on Windows XP and Server 2003 systems, imported .evt files from those systems do not contain the "Message" field. This means that the contents of the "Message" field do not appear in your Splunk index.
Splunk Enterprise on Windows XP and Windows Server 2003/2003 R2 cannot index .evtx files exported from systems running Windows Vista and later or Windows Server 2008/2008 R2 and later.
Splunk Enterprise on Windows Vista and later and Server 2008/2008 R2 and later can index both .evt and .evtx files.
If your .evt or .evtx file is not from a standard event log channel, you must make sure that any dynamic link library (DLL) files required by that channel are present on the computer on which you are indexing.
Splunk Enterprise indexes an .evt or .evtx file in the primary locale/language of the computer that collects the file.

You can check/find the constraints at https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Index_exported_ev....

Detailed Steps on how to get monitor the exported evtx/windows event logs on other windows server :

I tested the below steps in my lab environment and they work perfectly fine. I am able to export windows events logs and copy to another server and monitor it. I was able see the events getting indexed and I was able see parsing was working as expected.

I installed two windows servers with same version ( OS
Windows server2012)

Source host on which I exported the events :ip-OACA0965

I installed Splunk software on second host : ip-0ACA0DBF and setup inputs.conf to monitor the exported files.

On ip-0ACA0DBF : under updated $SPLUNK_HOME/etc/system/local/inputs.conf as below

Stanza : Copied exported sourceevents.evtx from ip-OACA0965 to ip-0ACA0DBF
[monitor://C:/sourceevents.evtx]
queue = winparsing
crcSalt =
whitelist=.evtx$

I copied sourceevents.evtx to C:/ on ip-0ACA0DBF server.

Restart Splunk service and I am able to see the exported windows event logs indexed and was able to search the data successfully.

View solution in original post

0 Karma