crcSalt does not work with this type of input.
If this were not binary data, I would do some text substitution with sed, but I don't know of a way to do that with binary evtx.
WinEventLog is a modular input, it does not monitor files, but query the windows Winevent endpoint.
Splunk uses a checkpoint to identify the latest event id collected per channel.
If you want to reindex a channel, you can reset the checkpoint.
1- stop splunk
2 - Look on the forwarder in a folder like $SPLUNK_HOME\var\lib\splunk\modinputs\wineventlogs
and in side the folder you will find a file (xml format) for each channel (security, applications etc..)
3- remove the file
4- restart splunk
it should cause the forwarder to forget the last checkpoints, and restart from the beginning.
warning : It may cause duplicates, as it will resend them all, and it may take some time to backfill all the events, if they are several month of old data.
WinEventLog is a modular input, it does not monitor files, but query the windows Winevent endpoint.
Splunk uses a checkpoint to identify the latest event id collected per channel.
If you want to reindex a channel, you can reset the checkpoint.
1- stop splunk
2 - Look on the forwarder in a folder like $SPLUNK_HOME\var\lib\splunk\modinputs\wineventlogs
and in side the folder you will find a file (xml format) for each channel (security, applications etc..)
3- remove the file
4- restart splunk
it should cause the forwarder to forget the last checkpoints, and restart from the beginning.
warning : It may cause duplicates, as it will resend them all, and it may take some time to backfill all the events, if they are several month of old data.
Thanks, trying this out now.
That worked, thanks!
Are you monitoring any other files from the forwarder where you want to collect WinEventLogs?
Yes, although this is a Dev environment so I don't mind if those are disrupted.