I've recently updated the Splunk_TA_windows from version 4.1.8 to version 8.12. As I went through the documentation I noticed there was a new setting under inputs.conf that mentioned to set "renderXml=0" in order to keep WinEventLogs in "classic" or "friendly" mode.
After making that update to the TA's deployed to all UF's and to the Indexer Cluster I'm now getting the same event under both formats.
e.g., If I have an EventCode=4624 for a specific host, I run a search and I can see the same event (different format) with sources:
XmlWinEventLog:Security AND WinEventLog:Security
I only want the WinEventLogs in classic mode, don't need the XML at the moment. 😖
If I set renderXml=true I ONLY get XmlWinEventlogs.
Some Details:
- I ran btool for inputs on a dev UF and I can see that renderXml=false
- I ran btool for inputs in one indexer and I can see that renderXml=false
- Splunk_TA_windows version 8.1.2
My inputs.conf file
[WinEventLog://Security]
disabled = 0
renderXml = false
Does anyone have any idea why I'm still seeing both formats?
Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.
Also found this helpful:
Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.
Also found this helpful: