Solved: WinEventLogs Cannot get Event Details

nabeel652 · ‎06-07-2017

I am monitoring WinEventLogs for Direct Access Troubleshooting using stanzas like:

[WinEventLog://Microsoft-Windows-Base-Filtering-Engine-Connections/Operational]
disabled = 0
index = myindex

I am successfully getting all events but the information I can see in Windows Event Viewer's Details tab is not received. The information in the logs in Splunk is pretty basic and almost useless.

I've uploaded two screenshots. DA_Logs shows what I am getting using the above stanza whereas DA_Logs2 is the what I actually need under "Details" tab from the Event Viewer.

Richfez · ‎06-08-2017

The fields and values under the "Details" section of the Windows Event is actually what Windows would send if you set renderXml = 1 on. What you get when you either have renderXml = 0 (or if the setting just isn't in there) is the information under the "General" tab.

Normally these two sets of information are the same or at least very similar, but not always. It will always show different in field names and such, but that's to be expected since half of the non-xml events don't have field names properly anyway. In some cases the actual information is completely different.

My guess is this is what you are seeing. To fix, edit your input stanza and add to it:

[WinEventLog://Microsoft-Windows-Base-Filtering-Engine-Connections/Operational]
renderXml = 1
disabled = 0
index = myindex

After that (well, and appropriate UF restarts and whatnot) your events will come in looking as ugly as sin, BUT the fields will be far better and more usefully named and will have better content most of the time.

So, I'd recommend after the above change that you shorten your time frame, run it in verbose mode and exploring the new fields (rather than looking at and going blind from the raw XML).

View solution in original post

Richfez · ‎06-08-2017

The fields and values under the "Details" section of the Windows Event is actually what Windows would send if you set renderXml = 1 on. What you get when you either have renderXml = 0 (or if the setting just isn't in there) is the information under the "General" tab.

Normally these two sets of information are the same or at least very similar, but not always. It will always show different in field names and such, but that's to be expected since half of the non-xml events don't have field names properly anyway. In some cases the actual information is completely different.

My guess is this is what you are seeing. To fix, edit your input stanza and add to it:

[WinEventLog://Microsoft-Windows-Base-Filtering-Engine-Connections/Operational]
renderXml = 1
disabled = 0
index = myindex

After that (well, and appropriate UF restarts and whatnot) your events will come in looking as ugly as sin, BUT the fields will be far better and more usefully named and will have better content most of the time.

So, I'd recommend after the above change that you shorten your time frame, run it in verbose mode and exploring the new fields (rather than looking at and going blind from the raw XML).

ddrillic · ‎06-08-2017

Maybe the following can help - Monitor Windows event log data

WinEventLogs Cannot get Event Details

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation