Hi All,
I currently have a UF installed on a host sending windows security logs to index=wineventlogs in non-XML format (which is what I want). The issue is that the same host is sending the window security logs in xml to index=main, and I cannot find the reason why. I have installed the Splunk App for Win Infra (1.5.0), Win_TA (5.0.1) and Splunk Add on for AD/DNS (1.0.0/1.0.1) on my SH, IDX and UF (where needed, as per Splunk documentation)
My guess here is that is something to do with one of the above apps installed, as the UF has the following inputs.conf under the 'etc/app/Splunk_TA_Windows\local\'. No other local files on the UF.
inputs.conf on the UF:
[WinEventLog://Security]
disabled=0
index=wineventlog
renderXml=false
..............(other default data - start_from, current_only etc)
I have used btool on the host UF (inputs and ouputs list) as well as the IDX (inputs, props and transforms list), though I cant seem to find the issue.
I have also go through the Windows Add On upgrade documentation.
Any further advice/tips would be very appreciated (i.e. what to specifically look for using btool or potential root causes)
Cheers.
Hi,
If nothing else helps: it's bold but I would try to identify if there are any rouge (forgot/misconfigured/multiple UF on the same server) host with another UF. So try to stop that UF in order to check if there are any rouge UF somewhere with the same hostname.
Regards,
István
Hi,
If nothing else helps: it's bold but I would try to identify if there are any rouge (forgot/misconfigured/multiple UF on the same server) host with another UF. So try to stop that UF in order to check if there are any rouge UF somewhere with the same hostname.
Regards,
István
Hi Istvan,
This may actually be the cause. I stopped the forwarder service and the windows XML data was still sending to index=main, but the data I actually want to ingest (non-xml) stopped ingesting to index=wineventlog.
Now just got to find out where this is occuring. Luckily the deployment is not large yet (less than 10 UF/sources ingesting)
Cheers.
Did you ever figure out the culprit? I am actually trying to figure out how to send the Windows event logs in xml and non-xml formats. The xml format is going to be sent to a 3rd party system, but we use the non-xml format at my company.
Pls look at the default/inputs.conf and local/inputs.conf under Win Infra and Splunk Add on for AD/DNS on the UF ( this reads windows events) as by default, some of the inputs could be enabled. If you find them, pls create local/inputs.conf and disable them, as they could cause conflicts.
Thanks for the advice. This particular UF does not have the Splunk Add-on for AD/DNS on the UF, only the splunk_TA-windows. The SH and IDX has the Win Infra App installed. Currently I have only look at the inputs and ouputs list using btool on the UF and inputs, props and transforms list on the IDX