I am after some help to debug why Splunk is not monitoring my external .evtx files.
Currently have the following:
%SplunkHome%/etc/system/local/inputs.conf
[monitor://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog
I have tried to debug this using Splunk list inputstatus and I can see that Splunk is reading the file but it is not getting indexed and I am getting output on my tcp stream with the indexer like this:
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
I have also tried:
[WinEventLog://E:WINEVT\Logs\*]
disabled = 0
index = event_collector
sourcetype = WinEventLog
With no luck and no output on the TCP stream with theindexer.
Any tips on debugging or solutions much appreciated.
To monitor Windows event logs, use the form WinEventLog://<name> where <name> is the type of event you want to monitor. Do not specify a .evtx file as <name>. Do not try to use monitor://*.evtx as Splunk cannot read an event log directly like that.
Your best option is to install a Windows add-on (along with a Universal Forwarder) from splunkbase on the system you want to monitor and the enable the desired inputs.