Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ingesting XML and Classic WinEventLogs issue (renderXml=false)

Matias
Engager
‎09-09-2021 01:00 PM

I've recently updated the Splunk_TA_windows from version 4.1.8 to version 8.12. As I went through the documentation I noticed there was a new setting under inputs.conf that mentioned to set "renderXml=0" in order to keep WinEventLogs in "classic" or "friendly" mode. 

After making that update to the TA's deployed to all UF's and to the Indexer Cluster I'm now getting the same event under both formats. 

e.g., If I have an EventCode=4624 for a specific host, I run a search and I can see the same event (different format) with sources:

XmlWinEventLog:Security AND WinEventLog:Security

I only want the WinEventLogs in classic mode, don't need the XML at the moment. 😖

If I set renderXml=true I ONLY get XmlWinEventlogs.

Some Details:

- I ran btool for inputs on a dev UF and I can see that renderXml=false

- I ran btool for inputs in one indexer and I can see that renderXml=false

Splunk_TA_windows version 8.1.2 

My inputs.conf file

 

[WinEventLog://Security]
disabled = 0
renderXml = false

 

 

 

Does anyone have any idea why I'm still seeing both formats? 

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Matias
Engager
‎09-17-2021 07:11 AM

Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.

Also found this helpful:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-the-wef-choosing-windows-event-forwarding-or-...

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Matias
Engager
‎09-17-2021 07:11 AM

Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.

Also found this helpful:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-the-wef-choosing-windows-event-forwarding-or-...

 

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...