Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

WEF-forwarded events metadata and non-defined input

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2021 02:57 AM

Hi there

I'm trying hard to make sense of events forwarded by WEF/WEC and collected by UF.

I have a WEF subscription that forwards events from a host called "WinDev2102Eval" to a host "testdziura".

On that host I have a UF installed along with Splunk_TA_windows app.

I have an input defined quite normally:

[WinEventLog://ForwardedEvents]
evt_resolve_ad_obj = 0
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents
renderXml = true
host=WinEventLogForwardHost

There is nothing out of the ordinary.

The events that come from the WEC host iself are shown as having host field set to "testdziura" (as configured in system/local/inputs.conf), the events collected from the other host are shown with host "WinDev2102Eval". Which is OK from the logical point of view.

I don't understand though how I can match those WEF-forwarded events in props.conf (I need to perform some additional transforms for a subset of those events).

Adding stanza [host::testdziura] applies only to events generated locally on the WEC host, not to those collected into Forwarded Events.

Stanza [host::WinDev2102Eval] simply doesn't work.

Surprisingly [source::WinEventLog:ForwardedEvents] applies to those forwarded events but this definition is way too broad for me.

What I'm trying to understand is how the hell it all works. Because I don't see that source (WinEventLog:ForwardedEvents) anywhere near the events in question. In my quest for understanding I even resorted to dumping the network traffic (for debug purposes I don't use TLS in my lab) and got completely puzzled since the only metadata that seems to be getting sent with the event is the source, which is a location of splunk-winevtlog.exe (and thus completely different from the working stanza shown above) and destination index _MetaData:Index winevents. I suppose that host::testdziura is getting set by default from the general connection properties (I can see it presented at the beginning of the UF to Indexer connection).

So I'm completely lost here. Where is this ForwardedEvent source coming from? Why isn't my [host::] stanza not working? And what should I put there to make it work?

For debug purposes I did a simple transform that rewrites MetaData:Host into a Original_Host field so I thought I would see what splunk sees. But it's even more confusing since the events show Original_Host having value "host::WinDev2102Eval".

Another question which got me puzzled is that I don't seem to have any input for the "typical" event logs (System, Application, Setup) explicitly defined (all those defined in Splunk_TA_windows/default/inputs.conf have disabled=1) but I'm still getting the events (and btools inputs list shows the inputs with disabled=0). What did I miss?

 

Best regards,

MK

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2021 03:42 AM

OK. It seems that after I changed the input on UF to a different host value (not that WinEventLogForwardHost), the Indexer finally noticed that. The downside is that now the computer name is not getting extracted from the event data into the host field but that I can do myself I suppose. But it's still confusing.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...