Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk WEF proper inputs conf

elend
Communicator
2 weeks ago

Hi everyone
Im on process ingesting WEF event that collected on a server folder, let said D:\WEF\ForwardedEvents.evtx. Which one is the proper inputs?
1. Follow the TA-windows default

[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
host=WinEventLogForwardHost
index=win_wef


Or using monitor stanza like

[monitor://D:\WEF\ForwardedEvents.evtx]
disabled = 0
index = win_wef
sourcetype = XmlWinEventLog:ForwardedEvents
host = WinEventLogForwardHost


it consumed on clustered indexer and I already make sure the index exist and distributed properly, but still no data ingested to the indexer. Anny suggestions?

Thank you.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

You don't monitor the evtx files correctly.

Use the WInEventLog://ForwardeEvents input.

Just be aware that your example contains a disabled input. So if you configured your environment this way this input will not pull data from the Event Log.

0 Karma
Reply

elend
Communicator
a week ago

oh yeah, that disabled set true because i try the monitor options. So there's no need to update from the props.conf too or other config except enabling the inputs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

It's... relatively easy but can be a bit complicated 😉

Generally, an input and output are the only two things that are needed for your UF to get data and send them to an indexer.

In some specific use cases/configurations (like differentiating sourcetypes within files read by a single monitor input, assigning a timezone to data read from a particular forwarder or using indexed extractions; your case is neither of those) you need settings in props.conf on the UF as well. But in general, the settings from props.conf which are  used on the UF are not mandatory.

Setings from props and transforms are applied (again - with some exceptions) on the indexers or a HF if you have one before your indexers. Normally those settings are critical for proper breaking of data stream into single events or timestamp recognition. In case of Windows Eventlogs the props/transforms which come with TA_windows also rewrite the source of the events and their host in case of WEF-forwarded events to the originating host and the original Event Log. So the events are properly seen as coming from System/Application/Security log and so on instead of just Forwarded Events.

But if you didn't have this addon installed you still should be getting those events (unless they have been filtered out somewhere in the middle). They would just be "malformed", but they'd be there.

To be continued...

EDIT: Continuing...

So there are several possibilities here why you're not getting your data. And there are several troubleshooting steps which you can take to narrow down the source of your problem.

1. Are you getting _any_ data from the forwarder? You can check the _internal index for forwarder's internal logs. If you're not getting them either there is a more general problem with your data ingestion from that forwarder than just this particular input.

2. Is this input able to read the data? Check the output of

splunk list inputstatus

on the forwarder. Check the forwarder's logs for problems subscribing to the event log (typically when the eventlog data is not ingested, there are problems with permissions for the user the forwarder service is running as).

3. If the forwarder is subscribing properly to the Forwarded Events log, check the forwarder metrics (thruput by source will be the best one here  I think) to see if the events are getting sent out from the forwarder.

0 Karma
Reply

elend
Communicator
Wednesday

Listing the inputs status give no eventlog listed. After some exploration, the forwarded eventlog is different with windows common eventlog (security, system) that can automated sent to the splunk. 

I also try to match the user service that run splunkforwarder with the Event Log Readers permission. And there is no user has the permission. Maybe this one is the reason.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Wednesday

OK. If list inputstatus shows no wineventlog inputs at all that means that you didn't enable the input correctly.

Check

splunk btool inputs list --debug

on the forwarder

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...