hi there,
i monitor windows security event log from the DC with RAW SYSLOG.
i can see in Splunk the raw data (without the default Syslog RFC's) also i can see that the data as xml view.
When i downloaded the Splunk add on for windows i configured the WinEventLog source type to my UDP data input (where only windows security event log from the DC is delivered)
i can see that the fields are extracted with the XML headers
example:
System.EventId
EventData.LogonType
I Can only Receive syslog
thanks in advance