Getting Data In

Universal Forwarder and AppLocker Events XML

pirsa
Explorer

Hey Guys trying to toubleshoot an issue here. Trying to get the XML events from the UF on Windows machines into splunk.

The normal

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]

seems to work, but for some reason if I change to get the extended xml version of

[XmlWinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]

it does not send anything through to the indexer.

I am wondering if there is maybe a setting in windows preventing the splunk UF from obtaining the XML exports of the events? anyone able to shed some light on this?

0 Karma

Flo-Paris
Explorer
 
0 Karma

Flo-Paris
Explorer
 
0 Karma

jeremyhagand61
Communicator

Add renderXml=true to your stanza

0 Karma

Flo-Paris
Explorer

Hello,

Did you find a solution ? i have the same issue, i dont know how to get in my splunk the xml part of the eventlog where the most useful information (file signature, full file path, etc...) are concerning AppLocker...

Any help ?

thanks,

Florent

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...