Getting Data In

How can I upload an Administrative Events.evtx file?

ddrillic
Ultra Champion

We are trying to upload the Administrative Events.evtx file via the Add Data interface. However, the interface doesn't seem to provide the option to treat the file as a Windows events log file.

We see -

alt text

Any ideas?

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Decoding of evtx files must be done in context of the Windows server where it was generated and upload does not work. For a great explanation, see the answer by @inventsekar here (be sure to UpVote him):
https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html

View solution in original post

0 Karma

joesrepsolc
Communicator

Just ran into this same issue, having trouble ingesting these .evtx logs (from Citrix application server). Also read thru the link woodcock provided (https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html) and didn't see any clear answer.

Using a forwarder to monitor the file, also used the sourcetype=WinEventLog, after installing the Windows TA...but getting the same results as ddrillic.

Anyone got more info on how to ingest these logs? Thanks!

Joe

0 Karma

woodcock
Esteemed Legend

I believe that @landen99 @alanden_splunk can shed some light on this.

0 Karma

landen99
Motivator

@joesrepsolc The solution appears fairly complicated, so clarity is not going to be expected when using Splunk to do it. I actually prefer the other answer by @tnesavich for the sake of clarity. But I expect it is much simpler to use the python method, not mentioned in those answers. Have you looked at python-evtx? https://github.com/williballenthin/python-evtx

0 Karma

woodcock
Esteemed Legend

Decoding of evtx files must be done in context of the Windows server where it was generated and upload does not work. For a great explanation, see the answer by @inventsekar here (be sure to UpVote him):
https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html

View solution in original post

0 Karma

ddrillic
Ultra Champion

Very kind @woodcock

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @ddrillic, Here's some documentation on adding this type of file. http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWindowsdata

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Here are a few Answers links as well:
Through the interface: https://answers.splunk.com/answers/528735/how-to-index-exported-evt-and-evtx-files.html
Using a forwarder or using a work-around to change them into csv or text files: https://answers.splunk.com/answers/479464/how-to-index-evtx-files-in-splunk.html

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hi @ddrillic, Following up on my previous answer after more research. @ppablo and @aaraneta helped me look through several other related inquiries and the documentation on Splunk Docs, and unfortunately it looks like the original evtx files can't be uploaded in this way as you requested due to the proprietary nature of the evtx files. You can read more from the answers to these questions here: https://answers.splunk.com/topics/evtx.html

We have a pretty active public Slack chat if you'd like to reach out there for more info or to see if an active user has found a workaround. You first have to request access through http://splk.it/slack. Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

0 Karma

ddrillic
Ultra Champion

Great, but I would like to upload them as files and not monitor them, which we can't at this point...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.