Splunk Enterprise Security

Can you answer my question about WinEventLogs and XML in Splunk Enterprise Security?: (sourcetype=XmlWinEventLog vs. sourctype=WinEventLog)

GenericSplunkUs
Path Finder

General Splunk question on ingesting Windows Event Logs.

We're currently using XML to ingest all of our Windows Event Logs, and I'm looking for some documentation on the reasons to use this or not to use this. And, if we can ingest without the XML, are there good ways to reduce the extra logging volume that creates?

I've been googling for a while, if someone could help me out with an explanation or preferably a document you have saved (or several of them) that I can read through to get a better understanding of this.

Much Thanks!

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Did you check this out?

https://answers.splunk.com/answers/618959/windows-security-events-xml-vs-non-xml-format.html

I personally feel the non-xml is good from readability point of view. You can always use 'sed' to trim of unwanted text/empty lines to reduce license/disk space (if that's of concern).

I have also come across people suggesting the use of xml may improve the rendering and parsing of the events, when the splunk pulls the windows events through the API, but, haven't seen much (myself).

Are you seeing any problem which you think could be addressed by non-xml?

View solution in original post

0 Karma

ishan_splunk
Splunk Employee
Splunk Employee

Use Splunk add-on for Windows https://splunkbase.splunk.com/app/742/

It has a very good support of plain text as well as xml wineventlog by providing specific field extractions for some logs and provides generic field extractions for other logs.

It also fixes some field extractions issues in auto extracted fields by Splunk from both plain text and xml

My recommendation is to use XML format which seems faster in retrieving from windows and faster search time parsing in Splunk

lakshman239
SplunkTrust
SplunkTrust

Did you check this out?

https://answers.splunk.com/answers/618959/windows-security-events-xml-vs-non-xml-format.html

I personally feel the non-xml is good from readability point of view. You can always use 'sed' to trim of unwanted text/empty lines to reduce license/disk space (if that's of concern).

I have also come across people suggesting the use of xml may improve the rendering and parsing of the events, when the splunk pulls the windows events through the API, but, haven't seen much (myself).

Are you seeing any problem which you think could be addressed by non-xml?

0 Karma

GenericSplunkUs
Path Finder

I had not seen that one. Thanks!

Reading the threads now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...