Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

After editing inputs.config on forwarder data shows up unreadable

carlyleadmin
Contributor
‎09-29-2017 10:34 AM

Hi i edited the inputs.cinfig file on my forwarder and once i restart splunk etc i see the data on search but it is not readeble. can anyone tell me what i am doing wrong?

[default]
host = xxxxxxx

[monitor://C:\Windows\System32\winevt\Logs*]
disabled = false
index=xxxxxx
followTail = 0
sourcetype = sync

i have all the other data coming in fine.

Thanks,

alt text

Tags (1)
Preview file
8 KB
Preview file
105 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 11:48 AM

Hi Carlyleadmin!

Monitoring evtx files can be tricky.

Please review https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Constraints

I believe the issue here is the sourcetype. There is a specific sourcetype for evtx.

from $SPLUNK_HOME/etc/system/default/props.conf:

[source::....(?i)(evt|evtx)(.\d+)?]
sourcetype = preprocess-winevt
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv

[preprocess-winevt]
invalid_cause = winevt
is_valid = False
LEARN_MODEL = false

what was the change you made? the sourcetype?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎09-29-2017 11:58 AM

Hey Mmodestino,

Instead of initially monitoring the application files thru the installation of UF i wanted to skip that part and try to monitor winevnt log files by editing the inputs file.

i gave it sourcetype name as "sync" and used an indexer i created,mainly becuase i did not want to put win event files in main index because i have other windows event log files being written there from another machine.
so i uninstalled UF and on initial installation i selected to monitor application log files thru WMI.now it is working.but those files are going into "main" index,i guess i can move them to another index,right?i will try that

thanks for the quick reply

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎09-29-2017 02:10 PM

So, the index=xxxxx setting in inputs.conf you shared above is how you control with index the data will go to. the sourcetype tells Splunk how to parse the data. Thats why I think the data was messed up above, because winevent logs are not regular flat files.

Are these exported, historical windows event logs? (i assumed they were) or the live logs on the machine? If it is the actual local logs I would suggest the UF is the way you want to go and use the wineventlog input.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/MonitorWindowseventlogdata
http://docs.splunk.com/Documentation/Splunk/6.6.0/admin/Inputsconf#Windows_Event_Log_Monitor

WMI is not the first thing I'd go to for monitoring windows, but it depends on what you are tying to do....

- MattyMo
0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:41 AM

you are right mmodestino, they are historical data but like you said it is because they are winevent logs and they are not regular files it was showing messed up.

Thanks,

0 Karma
Reply
Solved! Jump to solution

carlyleadmin
Contributor
‎10-02-2017 05:45 AM

well i uninstalled my UF and reinstalled it and pointed out to monitor Application logs from the install,instead of editing inputs.conf manually later on.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 06:01 AM

cool glad you got it working!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-02-2017 05:38 AM

hey carlyeadmin, what ended up working for you?

- MattyMo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...