Solved: WIndows Events get \x00\ in agent Splunk Forwarder - Splunk Community

Getting Data In

Hi Everyone,

i got error since i try install new agent in new server using SplunkForwarder.

For inputs.conf i use like this

[WinEventLog://Security]
disabled = 0
index = windows
sourcetype = Wineventlog:Security

[WinEventLog://System]
disabled = 0
index = windows
sourcetype = Wineventlog:System

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
index = windows
sourcetype = WinEventLog:PowerShell

And the preview is like this in source = C:\Windows\System32\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx

This is not my first time to ingest windows, but this error just happen to me right now. And i confuse how to solved it.

1 Solution

Solution

My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys

View solution in original post

Looks like a binary file was read there.

Have you followed the steps here https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata ?

Solution

My bad, in this env my friend setting different inputs.conf and it from .evtx and it cannot readable in splunk without some setting. Sorry guys

Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...