Dear Splunkers, I have a question regarding AD data input. Can you please advise on what sourcetype and source of events is correct one?
I have installed UF and created input - data came from WinEventLog:Security source. Then I installed Addon for Microsoft and created blacklists in inputs.conf file and pushed it to UF. After that modification I receive events from XmlWinEventLog:SecurityI was trying to figure out which one is correct but had no luck to find clear answer.
My inputs.conf
[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=true
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
Hi @Gene
Docs says, with renderXml=true option you would see xmlwineventlog sourcetype. if you make it false the sourcetype would switch to classic mode.
Previous versions of the Splunk Add-on for Windows collected WinEventLog data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all WinEventLog data collection inputs in XML mode.
Refer - Upgrade the Splunk Add-on for Windows - Splunk Documentation having detailed info.
----
An upvote would be appreciated if it helps!
Hi @Gene
Docs says, with renderXml=true option you would see xmlwineventlog sourcetype. if you make it false the sourcetype would switch to classic mode.
Previous versions of the Splunk Add-on for Windows collected WinEventLog data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all WinEventLog data collection inputs in XML mode.
Refer - Upgrade the Splunk Add-on for Windows - Splunk Documentation having detailed info.
----
An upvote would be appreciated if it helps!
Thanks. That's what I was looking for!