Getting Data In

No python.exe included with universal forwarder?

chadroberts
Path Finder

I have a need to import older Windows .evt files into my splunk environment. Since the splunk server is on linux I got the impression that I would only be able to import the .evt files from one of my Windows clients that I have the universal forwarder installed on. However, when I go to run the splunk.exe cli to add monitors I get an error stating that Python.EXE cannot be located and it is indeed not anywhere in the splunkuniversalforwarder tree. Is there another way to add this data that I'm not thinking of?

Tags (1)
0 Karma
1 Solution

chadroberts
Path Finder

It appears that the error looking for Python.exe only shows up when you run splunk.exe without any arguments. "splunk help" or "splunk list monitor" for example return expected results.

View solution in original post

0 Karma

chadroberts
Path Finder

It appears that the error looking for Python.exe only shows up when you run splunk.exe without any arguments. "splunk help" or "splunk list monitor" for example return expected results.

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

Chad, not sure what's going with the cli, I'll investigate, but for now put your .evt file(s) in a folder and add that folder to the splunk forwarder for monitoring by adding the path of the folder to a inputs.conf, eg:

In "splunk\etc\apps\search\local\inputs.conf" add:

[monitor://C:\Users\ledio\Desktop\test]

disabled = false

followTail = 0

where in test you have the "evt" file(s)


About the CLI, installed the latest 4.2.2 SplunkForwarder and try adding the same folder for monitoring, and it worked fine:

c:\Program Files\SplunkUniversalForwarder\bin>splunk add monitor c:\Users\ledio\Desktop\test

Splunk username: admin

Password:

Added monitor of 'c:\Users\ledio\Desktop\test'.

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

There is no python on that system, also at the same time SplunkForwarder doesn't need to python to run any of its cli commands.

I would check to make sure that a correct package is installed/upgraded, that you don't have left over binaries from a previous Splunk installation.

Also, when you run the "monitor" command, use ProcessExplorer from System Internals to see what binaries get executed. You should not see any python whatsoever...

-Ledio

0 Karma

chadroberts
Path Finder

Do you have a python.exe anywhere in C:\Program Files\SplunkUniversalForwarder? I'm getting the impression that everyone assumes that there is python installed elsewhere on the windows clients which is not the case in my environment.

0 Karma

proctorgeorge
Path Finder

Is there anything stopping you from installing python? I am using universal forwarders but created a deployment app that contains a portable Python version and a script to add the app directory to the PATH environment variable. You could also just install python to %Splunk Install Path%\Splunk\bin.

0 Karma

Brian_Osburn
Builder

I'm kind of confused. Did you install the Splunk Universal Agent on the Windows server and then try to set up the inputs? Are you forwarding the events to a central indexer?

Brian

0 Karma

chadroberts
Path Finder

Loading the files from the main Splunk instance seemed to accept the file but then nothing happened, or at least no events from that file were able to be seen later. That was the first attempt. After that I read here that one would have to process the .evt files from a Windows machine because of .dlls that are required to see the data.

I think at this point I just need to install python on one of my Windows forwarders. I assumed that python came with the forwarders so I was surprised when splunk.exe would not run.

0 Karma

Brian_Osburn
Builder

Have you tried loading them up via the UI from your main Splunk instance instead of the actual agent?

0 Karma

chadroberts
Path Finder

Correct. Agents were installed on several linux and windows clients months ago and configured to send audit data / security event logs back to the central indexer. That works and has worked pretty much flawlessly from day one. Now I have a requirement to be able to load windows security events from before the splunk installation, which we have in .evt and .evtx files.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...