Getting Data In

How do I ingest the details tab in Windows Forwarded Events?

devinmclean
Path Finder

I have a server that received forwarded event logs from clients within my Enterprise. The event logs are simple to retrieve via the below standard inputs.conf stanza:

[WinEventLog://ForwardedEvents]
index = redacted
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0

When the event logs come into Splunk, they only show EventCode, EventType, ComputerName, User, Sid, SidType, TaskCategory, OpCode, RecordNumber, Keywords, and Message (which is blank). The meat of the log that I need to see is in the details tab (if you're viewing it from Event Viewer in Windows). There's a friendly view and an XML view. Either one of the two detailed views I'd be fine with ingesting. However, Splunk is not ingesting these details. When looking in the XML view, there are two tags within : and . It appears Splunk is only capturing the data and not the that has the meat and potatoes of the log that I need. How do I get this data? I've been doing some searching and found a possible solution using scripted inputs with Wevtutil, but no documentation on how to use that within inputs.conf. I was hoping for an easier solution.

Any help would be greatly appreciated.

1 Solution

devinmclean
Path Finder

It turns out the issue was that our forwarders were version 6.1. We needed to upgrade to at least 6.2 to take full advantage of the render XML feature on the universal forwarder.

View solution in original post

0 Karma

euroccp
Engager

Did you find any solution? Currently experiencing the same issue.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@euroccp This question has two answers, one of them accepted. If neither answer helps you, please post a new question describing your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

devinmclean
Path Finder

It turns out the issue was that our forwarders were version 6.1. We needed to upgrade to at least 6.2 to take full advantage of the render XML feature on the universal forwarder.

0 Karma

JDukeSplunk
Builder

We use the Splunk add-on app for Windows. Splunk_TA_Windows.

https://splunkbase.splunk.com/app/742/

With some tweaking. But it is a good inputs, transforms and props.conf. If anything, you can download, extract it and have a peek at the .conf files.

0 Karma

bmo017
Path Finder

[WinEventLog://ForwardedEvents]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
index =
renderXml=false

This seems to be working for us if you wanted to give it a shot.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...