I have a need to import older Windows .evt files into my splunk environment. Since the splunk server is on linux I got the impression that I would only be able to import the .evt files from one of my Windows clients that I have the universal forwarder installed on. However, when I go to run the splunk.exe cli to add monitors I get an error stating that Python.EXE cannot be located and it is indeed not anywhere in the splunkuniversalforwarder tree. Is there another way to add this data that I'm not thinking of?
I'm kind of confused. Did you install the Splunk Universal Agent on the Windows server and then try to set up the inputs? Are you forwarding the events to a central indexer?
Correct. Agents were installed on several linux and windows clients months ago and configured to send audit data / security event logs back to the central indexer. That works and has worked pretty much flawlessly from day one. Now I have a requirement to be able to load windows security events from before the splunk installation, which we have in .evt and .evtx files.
Loading the files from the main Splunk instance seemed to accept the file but then nothing happened, or at least no events from that file were able to be seen later. That was the first attempt. After that I read here that one would have to process the .evt files from a Windows machine because of .dlls that are required to see the data.
I think at this point I just need to install python on one of my Windows forwarders. I assumed that python came with the forwarders so I was surprised when splunk.exe would not run.
Is there anything stopping you from installing python? I am using universal forwarders but created a deployment app that contains a portable Python version and a script to add the app directory to the PATH environment variable. You could also just install python to %Splunk Install Path%\Splunk\bin.
Chad, not sure what's going with the cli, I'll investigate, but for now put your .evt file(s) in a folder and add that folder to the splunk forwarder for monitoring by adding the path of the folder to a inputs.conf, eg:
In "splunk\etc\apps\search\local\inputs.conf" add:
disabled = false
followTail = 0
where in test you have the "evt" file(s)
About the CLI, installed the latest 4.2.2 SplunkForwarder and try adding the same folder for monitoring, and it worked fine:
c:\Program Files\SplunkUniversalForwarder\bin>splunk add monitor c:\Users\ledio\Desktop\test
Splunk username: admin
Added monitor of 'c:\Users\ledio\Desktop\test'.
Do you have a python.exe anywhere in C:\Program Files\SplunkUniversalForwarder? I'm getting the impression that everyone assumes that there is python installed elsewhere on the windows clients which is not the case in my environment.
There is no python on that system, also at the same time SplunkForwarder doesn't need to python to run any of its cli commands.
I would check to make sure that a correct package is installed/upgraded, that you don't have left over binaries from a previous Splunk installation.
Also, when you run the "monitor" command, use ProcessExplorer from System Internals to see what binaries get executed. You should not see any python whatsoever...
It appears that the error looking for Python.exe only shows up when you run splunk.exe without any arguments. "splunk help" or "splunk list monitor" for example return expected results.