Getting Data In

Applying correct sourcetypes to Windows event logs

tpowell12
Explorer

We have the event logs of many Windows servers getting indexed via universal forwarders into a number of different index names. The data inputs for each of these sources were originally configured using the default tcp-raw sourcetype because we also have other OSes and devices forwarding data to the same indexes. Now, I would like all of the Windows machines to have WinEventLog:Security, WinEventLog:Application, and WinEventLog:System sourcetypes applied instead of tcp-raw to take advantage of some of the Windows apps. What would be the best way to go about this?

0 Karma

kristian_kolb
Ultra Champion

Did you specifically set the sourcetype to something in inputs.conf on the forwarders, because they will default to the (correct) sourcetype names that you mention in your question. Or did you make some index-time transform to change it into tcp-raw?

You probably can't apply the new (correct) names properly, for already indexed data. It's like un-mixing purple paint into blue and red.

For getting the correct sourcetype for new events coming in, you should remove the sourcetype=tcp-raw setting under each [WinEventLog:Security] stanza in inputs.conf on all forwarders. The same for System and Application, of course.

Or if you're doing a transform, remove that.

Other than that, you could have a look at this piece of doc, but it won't help too much I'm afraid.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Renamesourcetypes

/K

0 Karma

kristian_kolb
Ultra Champion

Don't know what you mean by 'options are disabled'? Did you mean to say that in props.conf on the indexer you have a stanza like:

[source::WinEventLog:Security]
sourcetype=tcp-raw

In that case, just remove that and the new events coming in should be fine.

0 Karma

tpowell12
Explorer

No, nothing was set on the forwarders to specify a sourcetype and nothing was defined in transforms.conf. On the indexer in inputs.conf, it's set to sourcetype=tcp-raw for each source and also all of the WinEventLog options are disabled.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...