How to import Windows Log files?

Douggg · ‎11-09-2012

I'm a new Splunk user so don't dump on me if theis is a dumb quesiton but I can't find any tutorials or how to for Splunk 5.

I have an Microsoft evt and evtx files. (Microsoft log files.) Downloaded and installed Splunk 5, so default install. When I attempt to import the evt and evtx files all I see is what appears to be junk in the preview window.

In looking at instructions for previous versions of Splunk it appears there's an add-in or modules I need to add Microsoft event files. Do I need to do the same with Splunk 5?

Thanks

Kate_Lawrence-G · ‎11-09-2012

The issue is that evt/evtx files are binary and can't be imported natively to Splunk.

You can install Splunk for Windows if you are using a full Splunk installation and that will allow some support for indexing the events from event viewer. Or if you have the universal forwarder installed you can configure windows scripted inputs to capture events from the events viewer and forward them to Splunk.

-kate

ChrisG · ‎11-09-2012

Just to start...did you read Monitor Windows event log data in the Getting Data In Manual? Considerations for deciding how to monitor remote Windows data is worth looking at as well if you have a significant number of Windows hosts.

How to import Windows Log files?

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...