How to collect Windows event logs and field extrac...

hopnscotch · ‎09-10-2015

In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder.

Can you advise what specific app to use or other settings to get the field extractions working?

thuyentv2591 · ‎01-26-2018

Hi ALL,
I can not see sourcetype snare:application or snare:security while go installed app splunk-ta-windows.
this case i go monitoring log file from rsyslog server.
this here use snare agent send syslog to rsyslog server.
please clear help me how to parsing this log file windows use format snare agent.
many thanks your suppott

dturnbull_splun · ‎09-11-2015

The Splunk App-on for Windows has extractions for Snare syslog with a sourcetype of Snare:Security or Snare:Application etc.

hopnscotch · ‎09-11-2015

The add-on is just for the local system, not for remote snare logs coming in.

somesoni2 · ‎09-10-2015

You configured the custom field extractions (after your research) on Search Head for your sourcetype windows_snare_syslog, correct? Are you using any in-built dashboard searches which might be referring to different index/sourcetype?

hopnscotch · ‎09-11-2015

So to be clear.. I haven't done any custom extractions myself as I don't want to spend a ton of time on something that I would assume is already available somewhere.

How to collect Windows event logs and field extractions without using a universal forwarder?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...