Since I wrote this, I have embarked upon a long, arduous journey into the bowels of Micro$oft's Event Logging. And, I just want to mention this up front...approximately five weeks ago (end of August) I opened up a case with Micro$oft to get some assistance. Then I began trying to figure it out myself.
First, the ETL file. ETL files are binary. They can usually be decoded with a M$ WDK kit tool called TRACEVIEW. TRACEVIEW can be used to open and view, or even convert the contents of an ETL file, using a key file called a TMF file. TMF files are contained in PDB files, and PDB files are contained within M$ Symbol files. There are many Symbol files, in fact, for each build of Windows, there are a minimum of two: Checked and Retail. That means that if you don't know exactly what your build of Windows is, you could end up downloading multiple Symbol files, each one taking about 10 minutes to download and another 20 minutes to install.
The really fun part of this is even if you do know your version of Windows (mine was 6.3.9600.17809, found with the command "SLMGR /DLV"), you still might not be able to find the exact Symbol file match to your build. For me, there were roughly a half dozen or so Windows 8 builds, every version of Windows 8...starting at 8.0 Developer Preview all the way up through Windows 8.1--and Windows 8.1 had several versions in of itself. Keep in mind that each one of these versions has at least two Symbol files to download and install. Fortunately for all, the install files are all named with the build of Windows to which they are relevant.
By the way, just having the Symbol files is not enough. If you plan to get a copy of TRACEVIEW, you will need to download the entire debugging set for Windows 8, which means you must have Visual Studio 12, the WDK, and the SDK. You will probably need the Debug Universal Drivers, too. Even this would not be too onerous, if it weren't for the fact that Micro$oft has sabotaged the link. (Just TRY to download the Debugging tools for Windows 8.1.)
So, after having downloaded the only components I could (SDK and WDK), and 8.1 build 9600 Symbol files, I began to sift through them (using TraceView and TracePDB) attempting to locate the GUID that the ETL file was encoded with. It wasn't there. I widened my search to previous builds, and even to the ARM builds. Not there. This entire effort took me the better part of a month.
This entire time I was playing tag with the M$ tech rep. I finally wrote to his team lead and his manager, and got a call almost immediately afterwards. He told me a quick, expedient way to turn my ETL file into an EVTX file. By going in to the properties of the specific event log, and changing the name of the file which the events are written to from ".etl" to ".evtx", it will save as a Windows Event Log file. It turns out that this entire time, when I had been requesting that he find and send to me the correct TMF file to unlock the ETL file, all I had to do was click my ruby slippers and say, "There's no file like .evtx...there's no file like .evtx..." Now here's the kicker: it turns out that this was by design ... according to him, there is no TMF file to decode these event logs.
The real bear of this situation is that I did that at the very beginning...and I got a text file with a different name but not a different file format.
So, to recap: The M$ technician told me how to create an .evtx file of the \\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Diagnostic events. Examining the c:\windows\system32\winevt\logs directory for the Microsoft-Windows-WLAN-AutoConfig-Diagnostic.evtx file shows that it has the correct file extension and Windows is declaring it to be an authentic Windows Event Log file (whereas before it claimed it was just a text file).
Now that I have an authentic .evtx file, I should be able to use my Inputs.Conf just like it was, right? Well, I tried it, and it's not working. Just like before, I'm getting Application events, and I'm getting \\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Operations events, but no \\Applications and Service Logs\Microsoft\Windows\WLAN-AutoConfig\Diagnostic events. I walked around my building, passing multiple AP's, watching the size of the Diagnostics.evtx file grow, and saw no events arrive at Splunk box. I went so far as to load Wireshark on the device, and watch the traffic going to the Splunk box. No Diagnostic events are being forwarded.
Here is my Inputs.Conf:
[default]
host = SLATE911KR
[WinEventLog://Application]
disabled = 0
index=tablets
sourcetype=tablet_App
[WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Operational]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Op
[WinEventLog://Microsoft-Windows-WLAN-AutoConfig/Diagnostic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Diag
[WinEventLog://Microsoft-Windows-WLAN-Driver/Analytic]
disabled=0
index=tablets
sourcetype=tablet_WLAN_Analytic
[WinEventLog://Security]
disabled = 1
index=tablets
sourcetype=tablet_Sec
[WinEventLog://System]
disabled = 1
index=tablets
sourcetype=tablet_Sys
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
I have checked the paths, and the file names, and made sure the case was correct...and even checked to see if case mattered, by changing the filename of the working .evtx file. Doesn't appear to have made any difference.
So for those Splunk experts who say, "If it's an .evtx file it can be forwarded by the Universal Forwarder and digested by Splunk.", my question is, what's next?
... View more