×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Erad
New Member
Member since: ‎01-18-2021
‎01-19-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-18-2021
View All

Normalizing imported .evtx files with Splunk Windo...

by in Getting Data In
‎01-18-2021 01:21 PM
‎01-18-2021 01:21 PM
Greetings all, I'm in a situation where I would like do "offline" Windows event logs analysis, and I need to be able to ingest raw evtx files. Here is my setup: Deployed a Windows Splunk instance on a single VM, Installed and configured the Splunk Add-on for Microsoft Windows TA. I'm ingesting the files I need with a "monitor" stanza in the Windows app's inputs.conf: [monitor://C:\imported_data\evtx] disabled = 0 sourcetype = preprocess-winevt crcSalt = <SOURCE> index = imported-evtx Now, the logs are ingested and parsed and it's already a start (I get proper sourcetypes and everything). However, they do not go through the Windows' app normalizing process, e.g. events don't get populated with the "EventID" field, user names are not parsed into SubjectUserName and TargetUserName fields, things like that.   Is there a way of making those imported logs properly handled by the TA? Note: if I try and ingest my local VM's logs with a [WinEventLog://Security] stanza, they are successfully normalized by the app.   Cheers, Erad ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-19-2021 06:08 AM