- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Applying correct sourcetypes to Windows event ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Applying correct sourcetypes to Windows event logs
We have the event logs of many Windows servers getting indexed via universal forwarders into a number of different index names. The data inputs for each of these sources were originally configured using the default tcp-raw sourcetype because we also have other OSes and devices forwarding data to the same indexes. Now, I would like all of the Windows machines to have WinEventLog:Security, WinEventLog:Application, and WinEventLog:System sourcetypes applied instead of tcp-raw to take advantage of some of the Windows apps. What would be the best way to go about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you specifically set the sourcetype to something in inputs.conf on the forwarders, because they will default to the (correct) sourcetype names that you mention in your question. Or did you make some index-time transform to change it into tcp-raw?
You probably can't apply the new (correct) names properly, for already indexed data. It's like un-mixing purple paint into blue and red.
For getting the correct sourcetype for new events coming in, you should remove the sourcetype=tcp-raw setting under each [WinEventLog:Security] stanza in inputs.conf on all forwarders. The same for System and Application, of course.
Or if you're doing a transform, remove that.
Other than that, you could have a look at this piece of doc, but it won't help too much I'm afraid.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Renamesourcetypes
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't know what you mean by 'options are disabled'? Did you mean to say that in props.conf on the indexer you have a stanza like:
[source::WinEventLog:Security]
sourcetype=tcp-raw
In that case, just remove that and the new events coming in should be fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, nothing was set on the forwarders to specify a sourcetype and nothing was defined in transforms.conf. On the indexer in inputs.conf, it's set to sourcetype=tcp-raw for each source and also all of the WinEventLog options are disabled.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
