- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Retrieving Windows Event logs with hyphens in the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers.
I am trying to retrieve Windows event logs from and endpoint using a universal forwarder.
Having problems doing this where the log location contains a hyphen in the path/name.
Normally, to access a log located in the Events such as: --> Microsoft --> Windows --> AppLocker --> EXE and DLL
one would use [WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] in the inputs.conf
... The "-" in the WinEventLog stanza heading is used as the path separator, not unlike a "/" in a pathname.
The problem I am having is where the paths or the actual name of a particular log contains a "-".
For example, for a path such as --> Microsoft --> Windows --> BitLocker-API --> Management, how do you escape the "-" in the WinEventLog:// stanza so that Splunk interprets the "-" as part of "Bitlocker-API", and not the path separator.
Is there any special handing needed to escape the "-" for in to be interepreted correctly?
Have tried many combinations and escaping this with a "\" but had no luck. The log is never retrieved.
Have tried this with a custom path without a "-" in the name and it works as expected. Creating an identical custom log with a "-" in the name/path does not retrieve the log.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
o.k..Got it.... For others chasing this, seems the Log names displayed in the tree view of Event Viewer are not necessarily what they are called.
Best way to get the string for the WinEventLog stanza is to use Event Viewer and click on the properties of the log.
"Full Name" field will give you the name needed in the stanza.
For example, browsing the Event viewer the BitLocker log displays under the following path:
Microsoft -> Windows -> BitLocker-API -> Management.
"Microsoft-Windows-BitLocker/BitLocker Management" is how it show up under properties (note the "-API" part is missing).
Thanks for looking...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
o.k..Got it.... For others chasing this, seems the Log names displayed in the tree view of Event Viewer are not necessarily what they are called.
Best way to get the string for the WinEventLog stanza is to use Event Viewer and click on the properties of the log.
"Full Name" field will give you the name needed in the stanza.
For example, browsing the Event viewer the BitLocker log displays under the following path:
Microsoft -> Windows -> BitLocker-API -> Management.
"Microsoft-Windows-BitLocker/BitLocker Management" is how it show up under properties (note the "-API" part is missing).
Thanks for looking...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great job solving your own problem. You should accept your own answer, so that others searching in the future know you resolved it.
Good Luck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@torowa If your problem is resolved, please accept an answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post your [monitor] stanza from inputs.conf for that path?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried all these variants:
WinEventLog://Microsoft-Windows-BitLocker-API/Management
Also have tried varying forms of escaping the "-" between BitLocker and API:
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]
None of these seemed to do the trick....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example...
This one works:
[WinEventLog://Microsoft-Windows-BranchCache/Operational]
The actual log itself is called "Operational".
... however trying to access --> Microsoft -> Windows -> BitLocker-API -> Management doesn't work (Note that one of the path segments is "BitLocker-API"
I suspect this one doesn't work as Splunk would see "Bitlocker" and "API" as being different segments of the path:
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]
I've tried escaping the "-" with an escape both of these:
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]
but have been unable to pull the events successfully.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
