Re: Monitoring WEC .evtx files on another drive

Blackmagician · ‎09-22-2020

I am after some help to debug why Splunk is not monitoring my external .evtx files.

Currently have the following:

%SplunkHome%/etc/system/local/inputs.conf

[monitor://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

I have tried to debug this using Splunk list inputstatus and I can see that Splunk is reading the file but it is not getting indexed and I am getting output on my tcp stream with the indexer like this:

x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

I have also tried:

[WinEventLog://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

With no luck and no output on the TCP stream with theindexer.

Any tips on debugging or solutions much appreciated.

richgalloway · ‎09-23-2020

To monitor Windows event logs, use the form WinEventLog://<name> where <name> is the type of event you want to monitor. Do not specify a .evtx file as <name>. Do not try to use monitor://*.evtx as Splunk cannot read an event log directly like that.

Your best option is to install a Windows add-on (along with a Universal Forwarder) from splunkbase on the system you want to monitor and the enable the desired inputs.

---
If this reply helps you, Karma would be appreciated.

Monitoring WEC .evtx files on another drive

inputs.conf

monitor

universal forwarder

Windows

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation