Splunk Enterprise

Windows Eventlog in JSON format

fatsug
Builder

Pretty sure the forwarder can pass eventlogg as either XML or JSON from a host. If this is not incorrect, then could anyone consider sharing a bit of eventlog in "Splunk native" JSON format as "raw"?

I have some log samples in JSON format though in non standard layout with some added metadata. What I'm looking for is a sample of eventlog in JSON format which might be accepted by TA_windows and other apps to compare against.

Hopefully someone has some sample log they could share and spare me the need to to generate samples 🙂

Best regards

Tags (2)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No. Natively eventlog inputs, because that's what we're talking about, generate either "plain text" or xml events depending on the renderXml parameter. There is no built-in functionality to ingest eventlog data as json. At leas not natively with UF's eventlog input. You could of course try to use a third party solution like nxlog, kiwi or something like that to generate json events from eventlog (I'm not sure if those particular examples can do that though) but that's a different story and it's a bit pointless really since you have a perfectly well (ok, almost perfectly) working inputs and accompanying TA for windows eventlogs.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

TA_windows expects data in either "traditional" rendered text format (key=value multiline event) or an xml structure. If you want to send them another way you'll have to write your own extractions and make it CIM-conformant.

0 Karma

fatsug
Builder

Hmm, so there is no option for the forwarder to send the log in TA_windows/CIM compliant JSON format?

I know XML is compatible because this is what we normally index, and there is no JSON compliance?

In that case, well then the "easy solution" has an even smaller chance of making it to the next family therapy session than a pickled Rick...

I'll hold of on marking this a solution until the last bit of hope is gone 🙂 But if I understand you correctly, even if the eventlog can be forwarded in JSON format (big if), this is not compliant with the TA for windows in the SH/IX cluster.

Best regards

Tags (1)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @fatsug ...Please update us..

1) if you are able to receive logs from the windows host to the indexer ?

index=* host=<win-hostname> | stats count by sourcetype

2) if yes, are you able to receive windows eventlogs or not.

if yes, you can try to view a single event and update us, your other queries... 

 

Splunk newbie learning videos, for absolute beginners:
https://www.youtube.com/@SiemNewbies101/playlists

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

fatsug
Builder

There's a fine line I'm trying not to cross.

Yes, we are collecting logs being indexed in JSON format.

No, they are not "standard" with regards to field names, order and content as we are not collecting/indexing the eventlog in conventional or forwarder based manner.

The log were indexing is not CIM compliant or compatible with the Splunk TA for windows. We'd like to "adjust" incoming events in the HF layer to become "compliant". To evaluate if this is reasonable I'd need a couple of reference events of Splunk/CIM/TA compliant eventlog in JSON format.

I seem to remember there being a setting for the Windows TA for UF to send eventlog in JSON format. Hence, the ask for sample of windows eventlog in JSON format. 

If I'm mistaken and XML is the only forwarded format, or if there is but no one willing to share a sample, we'll just have to deploy a test environment and try to generate the JSON data we need. I just thought this could be a faster solution given that someone could share some (masked is fine) events.

If I'm mistaken and the UF cannot forward eventlog in JSON format, then case closed and we're done here 🙂

Best regards

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. Natively eventlog inputs, because that's what we're talking about, generate either "plain text" or xml events depending on the renderXml parameter. There is no built-in functionality to ingest eventlog data as json. At leas not natively with UF's eventlog input. You could of course try to use a third party solution like nxlog, kiwi or something like that to generate json events from eventlog (I'm not sure if those particular examples can do that though) but that's a different story and it's a bit pointless really since you have a perfectly well (ok, almost perfectly) working inputs and accompanying TA for windows eventlogs.

fatsug
Builder

Right, so basically I was mistaken in remembering you could opt to ingest Windows eventlog as JSON using the standard Splunk setup 🙂

I would really prefer not to have it delivered as JSON, though for this partucualre case there is no option. It's JSON or nothing, it is already converted on the "sender side".

While not what I hoped for of course it does answer my question and there is no "shortcut". Well just have to solve it "the hard way"

Tanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I had a situation when the customer wanted to ingest windows eventlogs forwarded by some strange third-party "eventlog-to-syslog" solution. In this case it was not json but some key=value pairs but the idea is the same - there is so much work needed to properly process it afterwards and it would require a lot of development to prepare everything to "mirror" the TA_windows settings. So we told the customer that if there is no other way, of course we can ingest the data so it will be searchable "somehow" in case there is a need for finding something in the raw events but we will not even attempt to make it "compatible" with normal windows logs. It makes no sense.

fatsug
Builder

Yeah, that's basically what I'm worried about 🙂 Thank you for the feedback

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...