Re: Incorrect sourcetype for windows logs

bbiswabhusan · ‎12-21-2021

Hello experts,

I have recently onboarded around 300 windows devices. I have followed the onboarding guide and getting the logs ingested as required but for one field i.e. sourcetype. The source and sourcetype is updated as below

source = WinEventLog:System
sourcetype = wineventlog

Can someone please help in identifying the issue.

Thanks

ThatGuyPSH · ‎07-05-2022

NOTE: based on the OP comments, this is a common problem specifically for WinEventLog and use case mapping when uploading a CSV into WinEventLog. However, this could pertain to their situation as well since the actual source of the data was not stated (CSV, JSON, etc).

======================================
The issue is more to the 'transform.conf' vs the 'input.conf'.

Since this requires the 'transform.conf' to be edited, you will need CLI access and cannot perform this via the GUI itself (cannot be accomplished solely via: Settings --> Fields --> Field Alias) since the 'transform.conf' cannot be edited from within the GUI. (If there is a way to do this, PLEASE let me know!)

Props.conf & transforms.conf

1. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf"

[windows_csv]

rename = WinEventLog

[source::EventCode.csv]

TRANSFORMS-fixcsv = windows-classic-csv

===========================================

2. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf"

[windows-classic-csv]

DEST_KEY = MetaData:Source

REGEX = ,wineventlog:(\S+),

FORMAT = source::WinEventLog:$1

===========================================

-Restart Splunkd (when acceptable to do so) for config changes to take effect, since you edited the "transform.conf" file.

-Import file should be named 'EventCode.csv'

-Sourcetype during add data import should be 'windows_csv' (copied from regular csv sourcetype)

gcusello · ‎12-21-2021

Hi @bbiswabhusan,

I suppose that you're using the Splunk_TA-Windows for ingesting those logs.

What's the problem you had?

Could you better describe the anomalies you have?

Ciao.

Giuseppe

bbiswabhusan · ‎12-21-2021

Yes @gcusello , im using the windows TA, but the sourcetype is not extracted properly. its coming as sourcetype = wineventlog while the source is WinEventLog:Security.

gcusello · ‎12-21-2021

Hi @bbiswabhusan,

If this is your problem, you could force the correct sourcetype in the inputs.conf so you have the correct mapping.

Ciao.

Giuseppe

bbiswabhusan · ‎12-21-2021

@gcusello , I already have the below in inputs.conf

[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0

Do I need to add anything else

gcusello · ‎12-21-2021

Hi @bbiswabhusan,

did you tried to force the sourcetype in inputs.conf:

[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0
sourcetype = WinEventLog

or

[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0
sourcetype = XmlWinEventLog

Ciao.

Giuseppe

bbiswabhusan · ‎12-21-2021

@gcusello i havent yet tried that as generally that wasnt required. Is there any specific reason why its not working.

gcusello · ‎12-21-2021

Hi @bbiswabhusan,

what do you mean with "not working"?
fields aren't extracted?
what's the sourcetype associated with your logs?

Could you share a screen of your logs and fields?

Ciao.

Giuseppe

Why am I getting error: Incorrect sourcetype for windows logs

sourcetype

universal forwarder

Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms