Getting Data In

How to import exported windows eventlog to eventviewer for indexing?

Takajian
Builder

I have exported evt files on Windows. I would like to index it by splunk. I know splunk on windows can index their own windows application and system, security logs. But I am not sure how to import exported evt files to windows event viewer in order to index them by splunk. Could somebody help to achieve this? Thank you in advance.

ramya_k
Engager

For one time activity is there any way to upload the imported eventviewer logs in evtx format for analysis.

0 Karma

rovechkin_splun
Splunk Employee
Splunk Employee
0 Karma

rovechkin_splun
Splunk Employee
Splunk Employee
  • you would need to convert evtx file in a Splunk friendly format such as xml using wevtutil
    For example:
    wevtutil qe /lf yourlog.evtx > yourlog.xml

  • You can import xml file by using Splunk input manager and defining you own sourcetype:
    Manader->Data Inputs->Files and Directories -> Start a new source type
    Select .xml and then adjust parsing setting until you get individual events. I ended up with props.conf like following:

BREAK_ONLY_BEFORE=<Event

NO_BINARY_CHECK=1

SHOULD_LINEMERGE=true

TIME_PREFIX=SystemTime=

  • From that point on Splunk should be able to parse xml event natively

Note that xml event contains only bare xml data, while Windows event viewer also adds metadata to it, such as error message text. It might be possible to add this information while exporting logs (it offers saving language specific information during export), but I didn't try that.

Takajian
Builder

I am thinking both cases. Do you know how I need to configure configuration file like props.conf. Windows eventlog is binary, so I think I need to configure something to index the eventlog by one-time upload or set up a file/directory. Could you kindly help?

0 Karma

cphair
Builder

Is this a one-time upload, or will you need to read these files on an ongoing basis? If it's one-time, you can probably use the Manager in Splunk Web to read them in. If it's ongoing, you may need to set up a file/directory monitor.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...