Hi Splunkers
I have a problem with my Windows Event Collector (Windows Server 2012 R2). I'm not able to install a Universal Forwarder on every system. So we are collecting data with a Windows Event Collector. On this Server I have installed a Universal Forwarder and the Splunk_TA_windows app. There I've created a new input stanza like this:
[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = Test
renderXml=false
This works for indexing data, but unfortunately, the log in Splunk is wrongly parsed.
03/23/2018 02:01:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5061
EventType=0
Type=Microsoft Windows security auditing.
ComputerName=XY.xy.intranet
TaskCategory=Microsoft Windows security auditing.
OpCode=Microsoft Windows security auditing.
RecordNumber=189333
Keywords=Microsoft Windows security auditing.
Message=Microsoft Windows security auditing.
As you can see the fields are wrong because it says everywhere "Microsoft Windows Security auditing". But in the EventViewer I see all the Information correct.
All the other Windows Event Logs from System, Application, Setup and Security are perfectly fine in Splunk.
There is no Special parsing, props, transforms for those logs. I've installed the Splunk_TA_windows on every instance (UF, HF, Indexer, SH).
Does somebody know this issue? Is the format another one of the Windows Event Collector?
Thanks for your help and kind regards,
Lukas
... View more