Getting Data In

windows evtx logs to splunk linux deployment using a universal forwarder

d4rk_sp1d3r
Loves-to-Learn Lots

i am trying to forward logs from a windows server to a linux splunk enterprise using the universal forwarder. the application.evtx file was transfered to folder D:\Archive_Logs\Application_Logs\Application.evtx instead of the regular folder where application logs are stored. I used the inputs.conf to monitor the file using [monitor://d:\Archive_Logs\Application_Logs\Application.evtx] . It seems to have ingested it but i only got 1 event with unreadable data. This is the same unreadable data when I try to use Add Data In feature in splunk. I read the document from https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/MonitorWindowseventlogdata and says there are some issues about using linux splunk for monitoring windows event logs. Not sure why this is not working because we also have other servers with windows event logs being sent to the same linux splunk enterprise but those are using the regular [WinEventLog://Application] input. Why does this happen and how can i get our logs sent to splunk? We have a splunk deployment with a deployment master pushing apps to windows servers.

0 Karma
1 Solution

wyfwa4
Communicator

The issue is that files in .evtx format are not readable - they are a custom binary format used by Microsoft. So even if you tries to read them on a Windows based Splunk server, it would not work. If they are sitting on a disk folder, then somebody has exported them and they are no longer Windows event logs, but just files containing data extracted from a windows event log.

When using the standard Splunk Windows logs collection process - [WinEventLog://Application] - this is using API calls to read each event, rather than trying to read a file directly on disk.

You will need to either convert the files to readable text, or switch to reading the events within the eventlog before being exported. There seems to be some details on using the tool WEVTUTIL to perform this conversion.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log...

View solution in original post

wyfwa4
Communicator

The issue is that files in .evtx format are not readable - they are a custom binary format used by Microsoft. So even if you tries to read them on a Windows based Splunk server, it would not work. If they are sitting on a disk folder, then somebody has exported them and they are no longer Windows event logs, but just files containing data extracted from a windows event log.

When using the standard Splunk Windows logs collection process - [WinEventLog://Application] - this is using API calls to read each event, rather than trying to read a file directly on disk.

You will need to either convert the files to readable text, or switch to reading the events within the eventlog before being exported. There seems to be some details on using the tool WEVTUTIL to perform this conversion.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log...

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...