Index Windows log evtx

kalianov · ‎03-01-2017

Hi guys!
I have a free Splunk server which installed on Windows 2012 and
I want to index and analyze Security.evtx file, which I download from remote user's PC (Windows7).
I tried to add this stanzas to index.conf and reboot splunk server, but no information were indexed:
I can't use forwarder, it's a one-time need.
Var1
[WinEventLog://C:\temp\Security.evtx]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

Var2: If I open my "Security.evtx" file in Event Viewer, it's opened in "Saved Logs-Security" tree thats why I tried this:
[WinEventLog://Saved Logs/Security]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

No results.

jkat54 · ‎03-01-2017

You have to open the event log in your event viewer on your local machine and then export it as csv and then you can use the add data wizard in Splunk.

kalianov · ‎03-01-2017

Thanks for your advice. This is the right solution, but the task is to do it without conversion.

jkat54 · ‎03-02-2017

You can't. You either put a forwarder on the machine to read the data where it is being generated, pull the data from another windows machine running Splunk via WMI input, or you do the conversion.

Index Windows log evtx

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...