Re: Monitoring WEC .evtx files on another drive

Blackmagician · ‎09-22-2020

I am after some help to debug why Splunk is not monitoring my external .evtx files.

Currently have the following:

%SplunkHome%/etc/system/local/inputs.conf

[monitor://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

I have tried to debug this using Splunk list inputstatus and I can see that Splunk is reading the file but it is not getting indexed and I am getting output on my tcp stream with the indexer like this:

x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\

I have also tried:

[WinEventLog://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog

With no luck and no output on the TCP stream with theindexer.

Any tips on debugging or solutions much appreciated.

richgalloway · ‎09-23-2020

To monitor Windows event logs, use the form WinEventLog://<name> where <name> is the type of event you want to monitor. Do not specify a .evtx file as <name>. Do not try to use monitor://*.evtx as Splunk cannot read an event log directly like that.

Your best option is to install a Windows add-on (along with a Universal Forwarder) from splunkbase on the system you want to monitor and the enable the desired inputs.

---
If this reply helps you, Karma would be appreciated.

Monitoring WEC .evtx files on another drive

inputs.conf

monitor

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation