Getting Data In

Why are Windows event logs getting joined when setting the source to WinEventLog:xxxxxxx?



All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).  

On the syslog server we have the Splunk Heavy Forwarded installed and I have been forwarding the logs on to Splunk Indexer.

I'm trying to use the Windows TA Add-on and it requires the sourcetype to be WinEventLog and the source to be one of WinEventLog:Application, WinEventLog:Security or WinEventLog:System.

So in the inputs.conf on the heavy forwarder I added the lines to each input;




Now when I search in the search head I am seeing that 2 or 3 or 4 log entries are being grouped as 1 big entry.  I played around with the source/sourcetype fields and found that the problem is only there when the source starts with WinEventLog.

I found the [source::WinEventLog...] in props.conf and tried commenting it out partially or completely and it did not make any difference.  This was on the indexer and heavy forwarded in the /etc/system/local/props.conf.

Is there anyway to get Windows Event Logs in syslog format in to Splunk in a way that the Windows TA Addon will recognize?  The will eventually be feeding in to Security Essentials.


Thank you,


Labels (4)


I think I'm seeing essentially the same thing, though from a different route - I'm getting JSON data from NXLog and sending it to a tcp input.  Works fine until I set "source=WinEventLog:System" at which point I get multiple lines of json text as a single event.

0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...