Getting Data In
Highlighted

Windows Event logs in syslog format

New Member

All our windows servers are sending security event logs to a central syslog server - they are not in Windows event log format, they are converted to syslog (by Corelog).

Our central syslog server receives the converted Windows security event logs and places them in a unique file /var/log/windows. At this point a Splunk light forwarder sends the data to our Splunk indexer.

The Splunk indexer receives the Windows syslog where I've defined a new sourcetype (based from the source file /var/log/windows), and filtered for only certain event ID's by defining a new field windowserrorcode

My question(s) is this - has anyone defined any apps that will read syslog data that is actually created from Windows Event logs?

Any suggestions on how I can use the windows/syslog data without too much re-inventing the wheel?

Thanks!

Tags (1)
0 Karma
Highlighted

Re: Windows Event logs in syslog format

SplunkTrust
SplunkTrust

Without seeing the exact format of the syslog entries it sounds like you are going to be forced into working up a number of regex extractions for your new sourcetype. Is there a reason such as license limitation that you are not just deploying the universal forwarder with the windows TA to the systems you want logs from?