Getting Data In

WIndows Active Directory sourcetypes

Gene
Path Finder

Dear Splunkers, I have a question regarding AD data input. Can you please advise on what sourcetype and source of events is correct one?

I have installed UF and created input - data came from WinEventLog:Security source. Then I installed Addon for Microsoft and created blacklists in inputs.conf file and pushed it to UF. After that modification I receive events from XmlWinEventLog:SecurityI was trying to figure out which one is correct but had no luck to find clear answer.
My inputs.conf

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5

renderXml=true
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @Gene 

Docs says, with renderXml=true option you would see xmlwineventlog sourcetype.  if you make it false the sourcetype would switch to classic mode.

Previous versions of the Splunk Add-on for Windows collected WinEventLog data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all WinEventLog data collection inputs in XML mode.

Refer - Upgrade the Splunk Add-on for Windows - Splunk Documentation having detailed info.

----

An upvote would be appreciated if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @Gene 

Docs says, with renderXml=true option you would see xmlwineventlog sourcetype.  if you make it false the sourcetype would switch to classic mode.

Previous versions of the Splunk Add-on for Windows collected WinEventLog data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all WinEventLog data collection inputs in XML mode.

Refer - Upgrade the Splunk Add-on for Windows - Splunk Documentation having detailed info.

----

An upvote would be appreciated if it helps!

Gene
Path Finder

Thanks. That's what I was looking for!

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...