Getting Data In

Ingesting XML and Classic WinEventLogs issue (renderXml=false)

Matias
Engager

I've recently updated the Splunk_TA_windows from version 4.1.8 to version 8.12. As I went through the documentation I noticed there was a new setting under inputs.conf that mentioned to set "renderXml=0" in order to keep WinEventLogs in "classic" or "friendly" mode. 

After making that update to the TA's deployed to all UF's and to the Indexer Cluster I'm now getting the same event under both formats. 

e.g., If I have an EventCode=4624 for a specific host, I run a search and I can see the same event (different format) with sources:

XmlWinEventLog:Security AND WinEventLog:Security

I only want the WinEventLogs in classic mode, don't need the XML at the moment. 😖

If I set renderXml=true I ONLY get XmlWinEventlogs.

Some Details:

- I ran btool for inputs on a dev UF and I can see that renderXml=false

- I ran btool for inputs in one indexer and I can see that renderXml=false

Splunk_TA_windows version 8.1.2 

My inputs.conf file

 

[WinEventLog://Security]
disabled = 0
renderXml = false

 

 

 

Does anyone have any idea why I'm still seeing both formats? 

 

Labels (4)
0 Karma
1 Solution

Matias
Engager

Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.

Also found this helpful:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-the-wef-choosing-windows-event-forwarding-or-...

 

View solution in original post

Matias
Engager

Seems like WEF was set up forwarding Xml WinEventLogs simultaneously duplicating events in different format. After disabling WEF I was able to confirm logs were ingested in desired "classic" format.

Also found this helpful:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-the-wef-choosing-windows-event-forwarding-or-...

 

Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...