Getting Data In

Windows event log XML not parsing with KV_MODE = xml

jpolcari
Communicator

I have made the following change to a forwarder to send JUST applocker data as XML:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1

I am able to parse the field values if I use | xmlkv, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):

[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml

I do not get parsed results in Splunk. Am I missing something?

amara
New Member

I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution

Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field and value in the stanza like this:

[source::WinEventLog]
KV_MODE = xml

 

NB: you can adapt the source value to match to you logs source value

***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***

Tags (2)
0 Karma

benlc
Path Finder

I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).

https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html

I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:

e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data

Maybe somebody can comment on this issue? But the above solution works perfectly for me.

Have a good day.
Ben

0 Karma

jconger
Splunk Employee
Splunk Employee

KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.

0 Karma

jpolcari
Communicator

I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...