Splunk Search

How to collect Windows event logs and field extractions without using a universal forwarder?

Path Finder

In my situation, installing a universal forwarder is NOT an option for the remote Windows machine. I am using snare to bring them in and the sourcetype of windows_snare_syslog, however there are no field extractions. After a lot of research to try and get a solution to extract fields for the event logs, I set up Spunk Enterprise to run on Windows, however, still no extractions. All of the windows-related apps I have tried seem to assume or need you to get the logs from a Splunk forwarder.

Can you advise what specific app to use or other settings to get the field extractions working?

0 Karma

New Member

Hi ALL,
I can not see sourcetype snare:application or snare:security while go installed app splunk-ta-windows.
this case i go monitoring log file from rsyslog server.
this here use snare agent send syslog to rsyslog server.
please clear help me how to parsing this log file windows use format snare agent.
many thanks your suppott

0 Karma

Splunk Employee
Splunk Employee

The Splunk App-on for Windows has extractions for Snare syslog with a sourcetype of Snare:Security or Snare:Application etc.

Path Finder

The add-on is just for the local system, not for remote snare logs coming in.

0 Karma

Revered Legend

You configured the custom field extractions (after your research) on Search Head for your sourcetype windows_snare_syslog, correct? Are you using any in-built dashboard searches which might be referring to different index/sourcetype?

0 Karma

Path Finder

So to be clear.. I haven't done any custom extractions myself as I don't want to spend a ton of time on something that I would assume is already available somewhere.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!