Splunk Search

How to collect Windows event logs and field extractions without using a universal forwarder?

hopnscotch
Path Finder

In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder.

Can you advise what specific app to use or other settings to get the field extractions working?

0 Karma

thuyentv2591
New Member

Hi ALL,
I can not see sourcetype snare:application or snare:security while go installed app splunk-ta-windows.
this case i go monitoring log file from rsyslog server.
this here use snare agent send syslog to rsyslog server.
please clear help me how to parsing this log file windows use format snare agent.
many thanks your suppott

0 Karma

dturnbull_splun
Splunk Employee
Splunk Employee

The Splunk App-on for Windows has extractions for Snare syslog with a sourcetype of Snare:Security or Snare:Application etc.

hopnscotch
Path Finder

The add-on is just for the local system, not for remote snare logs coming in.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You configured the custom field extractions (after your research) on Search Head for your sourcetype windows_snare_syslog, correct? Are you using any in-built dashboard searches which might be referring to different index/sourcetype?

0 Karma

hopnscotch
Path Finder

So to be clear.. I haven't done any custom extractions myself as I don't want to spend a ton of time on something that I would assume is already available somewhere.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...