Reporting

Index Windows log evtx

kalianov
Path Finder

Hi guys!
I have a free Splunk server which installed on Windows 2012 and
I want to index and analyze Security.evtx file, which I download from remote user's PC (Windows7).
I tried to add this stanzas to index.conf and reboot splunk server, but no information were indexed:
I can't use forwarder, it's a one-time need.
Var1
[WinEventLog://C:\temp\Security.evtx]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

Var2: If I open my "Security.evtx" file in Event Viewer, it's opened in "Saved Logs-Security" tree thats why I tried this:
[WinEventLog://Saved Logs/Security]
current_only = 0
disabled = 0
host = userPChostname
index = winevent_ext
sourcetype = WinEventLog:Security
start_from = oldest

No results.

Tags (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust

You have to open the event log in your event viewer on your local machine and then export it as csv and then you can use the add data wizard in Splunk.

kalianov
Path Finder

Thanks for your advice. This is the right solution, but the task is to do it without conversion.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can't. You either put a forwarder on the machine to read the data where it is being generated, pull the data from another windows machine running Splunk via WMI input, or you do the conversion.

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...