Getting Data In

Windows event log XML not parsing with KV_MODE = xml

jpolcari
Communicator

I have made the following change to a forwarder to send JUST applocker data as XML:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1

I am able to parse the field values if I use | xmlkv, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):

[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml

I do not get parsed results in Splunk. Am I missing something?

benlc
Path Finder

I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).

https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html

I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:

e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data

Maybe somebody can comment on this issue? But the above solution works perfectly for me.

Have a good day.
Ben

0 Karma

jconger
Splunk Employee
Splunk Employee

KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.

0 Karma

jpolcari
Communicator

I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...