Getting Data In

Retrieving Windows Event logs with hyphens in the name

torowa
Path Finder

Hi Splunkers.
I am trying to retrieve Windows event logs from and endpoint using a universal forwarder.
Having problems doing this where the log location contains a hyphen in the path/name.

Normally, to access a log located in the Events such as: --> Microsoft --> Windows --> AppLocker --> EXE and DLL
one would use [WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL] in the inputs.conf

... The "-" in the WinEventLog stanza heading is used as the path separator, not unlike a "/" in a pathname.

The problem I am having is where the paths or the actual name of a particular log contains a "-".
For example, for a path such as --> Microsoft --> Windows --> BitLocker-API --> Management, how do you escape the "-" in the WinEventLog:// stanza so that Splunk interprets the "-" as part of "Bitlocker-API", and not the path separator.

Is there any special handing needed to escape the "-" for in to be interepreted correctly?
Have tried many combinations and escaping this with a "\" but had no luck. The log is never retrieved.

Have tried this with a custom path without a "-" in the name and it works as expected. Creating an identical custom log with a "-" in the name/path does not retrieve the log.

Cheers.

0 Karma
1 Solution

torowa
Path Finder

o.k..Got it.... For others chasing this, seems the Log names displayed in the tree view of Event Viewer are not necessarily what they are called.
Best way to get the string for the WinEventLog stanza is to use Event Viewer and click on the properties of the log.
"Full Name" field will give you the name needed in the stanza.

For example, browsing the Event viewer the BitLocker log displays under the following path:
Microsoft -> Windows -> BitLocker-API -> Management.

"Microsoft-Windows-BitLocker/BitLocker Management" is how it show up under properties (note the "-API" part is missing).

Thanks for looking...

View solution in original post

torowa
Path Finder

o.k..Got it.... For others chasing this, seems the Log names displayed in the tree view of Event Viewer are not necessarily what they are called.
Best way to get the string for the WinEventLog stanza is to use Event Viewer and click on the properties of the log.
"Full Name" field will give you the name needed in the stanza.

For example, browsing the Event viewer the BitLocker log displays under the following path:
Microsoft -> Windows -> BitLocker-API -> Management.

"Microsoft-Windows-BitLocker/BitLocker Management" is how it show up under properties (note the "-API" part is missing).

Thanks for looking...

View solution in original post

nickhills
Ultra Champion

Great job solving your own problem. You should accept your own answer, so that others searching in the future know you resolved it.
Good Luck.

If my comment helps, please give it a thumbs up!
0 Karma

richgalloway
SplunkTrust
SplunkTrust

@torowa If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

kmower
Path Finder

Can you post your [monitor] stanza from inputs.conf for that path?

0 Karma

torowa
Path Finder

I have tried all these variants:

WinEventLog://Microsoft-Windows-BitLocker-API/Management

Also have tried varying forms of escaping the "-" between BitLocker and API:

[WinEventLog://Microsoft-Windows-BitLocker-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]

None of these seemed to do the trick....

0 Karma

torowa
Path Finder

For example...

This one works:
[WinEventLog://Microsoft-Windows-BranchCache/Operational]

The actual log itself is called "Operational".

... however trying to access --> Microsoft -> Windows -> BitLocker-API -> Management doesn't work (Note that one of the path segments is "BitLocker-API"

I suspect this one doesn't work as Splunk would see "Bitlocker" and "API" as being different segments of the path:
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]

I've tried escaping the "-" with an escape both of these:
[WinEventLog://Microsoft-Windows-BitLocker\-API/Management]
[WinEventLog://Microsoft-Windows-BitLocker-API/Management]

but have been unable to pull the events successfully.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!