Moving windows logs to Nas

lclayton95 · ‎12-05-2024

The goal here is that windows logs that are moved off a system can be added to a NAS location that i can mount to the splunk instance. With this then i can ingest logs are normal maintaining the same source as windows:security. However this is stated to be an API call so i am not sure if i apply the following stanza would work:

[WinEventLog://Security]
disabled = 0
index = test01

Some other details is that the logs are coming off a windows system that is isolated not connected to splunk. Splunk says you can't monitor .evtx files with a monitor stanza. The nas location is linux based so the logs would be dropped in a directory such as /Nas/Windows/Hostname.

Any best practices to make this work?

PickleRick · ‎12-05-2024

I seem to recall that you could ingest an evtx file by uploading it via web interface to a windows instance of Splunk server but if it is indeed the case, that's pretty much the only way to do anything with a raw evtx file using Splunk's own mechanisms.

Evtx is a proprietary windows file format with no officially available documentation. There are some reverse-engineered "specs" of the file format and some libraries/tools claiming support for it but you can never be 100% sure.

You could try writing your own scripting/modular input using Python's module https://github.com/williballenthin/python-evtx

Moving windows logs to Nas

configuration

using Splunk Enterprise

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)