Getting Data In

Why are Windows event logs getting joined when setting the source to WinEventLog:xxxxxxx?

Dean_Box
Engager

Hello,

All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).  

On the syslog server we have the Splunk Heavy Forwarded installed and I have been forwarding the logs on to Splunk Indexer.

I'm trying to use the Windows TA Add-on and it requires the sourcetype to be WinEventLog and the source to be one of WinEventLog:Application, WinEventLog:Security or WinEventLog:System.

So in the inputs.conf on the heavy forwarder I added the lines to each input;

[monitor:///app/syslog-ng/logs/production-logs/siem_win_sec_log]
sourcetype=WinEventLog
source=WinEventLog:Security
_TCP_ROUTING = SIEMIndexer

[monitor:///app/syslog-ng/logs/production-logs/siem_win_app_log]
sourcetype=WinEventLog
source=WinEventLog:Application
_TCP_ROUTING = SIEMIndexer

[monitor:///app/syslog-ng/logs/production-logs/siem_win_sys_log]
sourcetype=WinEventLog
source=WinEventLog:System
_TCP_ROUTING = SIEMIndexer

Now when I search in the search head I am seeing that 2 or 3 or 4 log entries are being grouped as 1 big entry.  I played around with the source/sourcetype fields and found that the problem is only there when the source starts with WinEventLog.

I found the [source::WinEventLog...] in props.conf and tried commenting it out partially or completely and it did not make any difference.  This was on the indexer and heavy forwarded in the /etc/system/local/props.conf.

Is there anyway to get Windows Event Logs in syslog format in to Splunk in a way that the Windows TA Addon will recognize?  The will eventually be feeding in to Security Essentials.

 

Thank you,

Dean

Labels (4)

opoplawski
Explorer

I think I'm seeing essentially the same thing, though from a different route - I'm getting JSON data from NXLog and sending it to a tcp input.  Works fine until I set "source=WinEventLog:System" at which point I get multiple lines of json text as a single event.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...