Re: Monitoring WEC .evtx files on another drive

Blackmagician · ‎09-22-2020

I am after some help to debug why Splunk is not monitoring my external .evtx files.

Currently have the following:

%SplunkHome%/etc/system/local/inputs.conf

[monitor://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

I have tried to debug this using Splunk list inputstatus and I can see that Splunk is reading the file but it is not getting indexed and I am getting output on my tcp stream with the indexer like this:

x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

I have also tried:

[WinEventLog://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

With no luck and no output on the TCP stream with theindexer.

Any tips on debugging or solutions much appreciated.

richgalloway · ‎09-23-2020

To monitor Windows event logs, use the form WinEventLog://<name> where <name> is the type of event you want to monitor. Do not specify a .evtx file as <name>. Do not try to use monitor://*.evtx as Splunk cannot read an event log directly like that.

Your best option is to install a Windows add-on (along with a Universal Forwarder) from splunkbase on the system you want to monitor and the enable the desired inputs.

---
If this reply helps you, Karma would be appreciated.

Monitoring WEC .evtx files on another drive

inputs.conf

monitor

universal forwarder

Windows

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life