I know by using the render in xml for windows logs can save on overhead however, do you need the windows-TA to accomplish this?
Yes and No, both. Or how about "It depends"?
A handful of points in hopefully a not-terrible order:
The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.
As you've noticed, when you set renderXml = 1
on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.
BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.
Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.
So the answer really is it depends.
IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.
So, does all that makes sense? 🙂
Yes and No, both. Or how about "It depends"?
A handful of points in hopefully a not-terrible order:
The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.
As you've noticed, when you set renderXml = 1
on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.
BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.
Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.
So the answer really is it depends.
IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.
So, does all that makes sense? 🙂
yep! thank you! We are going over the app today and are removing everything we do not need! thanks for your time.