Hi, I'm beginner about this product and I ask for help.
I installed the package "splunkforwarder-6.0.1-189883-x86-release.msi"
on Windows ENU language and all EventLog are forwarded and parsed correctly so I may build reports/dashboard.
I've installed the same package on Windows ITALIAN version.
The Event Log are forwarded but not parsed correctly.
This is the begin of original message:
Message=Accesso alla rete riuscito:
Nome utente: Administrator
ID accesso: (0x0,0x1738E4)
Tipo accesso: 2
Processo di accesso: User32
the "problem" is fields definition. Fields in Splunk can either discoveder automatically by Splunk by default on a syntax like "string=value", or you can simply define them using regex. Field extractions are based on the "sourcetype", that is the "kind" of log data you're analyzing.
Pre defined sourcetype, like WinEventLog:* rely on english default language to recognize fields. So, you should enhance this by defining new fields extraction for the WinEventLog:* sourcetypes using the string in Italian.