Getting Data In

How to upload wevtutil generated xml file of Security log into Splunk?

ageld2020
New Member

I have a situation when I need to dump a remote Security log with wevtutil and subseqently upload it into Splunk to cross-correlate it with XmlWinEventlog sourcetype logs.  

I hoped that the XML structure of wevtutil XML file is the same as the structure of the file received by Splunk from Universal Forwarders.  It looks like it is not the case.

 

I tried to upload the XML file into Splunk, but for some reason Splunk converts it into a bunch of unicode characters rather than recognizing it as XML file.  Selecting XmlWinEventlog sourcetype did not help either.

 

I wonder if anyone managed to load XML file created by wevtutil utility into Splunk with proper field extraction.

 

Thank you.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...