I am trying to use Splunk to review windows logs that were exported from machines that are not on a network. I have copied the .evtx files to my Splunk machine.
Fresh install of Splunk 9.0.1
Below is the process I used to try to get the events indexed. I think this is the same process I have used in the past but for some reason no events are indexed.
1. Settings --> New Index
2. Enter Name for index
3. Save
4. Settings --> Data Inputs
5. Files and Directories
6. New Local File and Directory
7. Input Path of top level folder containing logs
8. Select Continuously Monitor
9. Next
10. Source Type: Automatic
11. App Context: Search and reporting
12. Select Constant Value
13. Host field name:*
14. Select Index Created in steps 1- 3
15. Review
16. Start Searching
The search results in 0 events listed. I delete everything from the search box except index="nameofindex" and still there are no events listed.
The sourcetype to use is 'wineventlog'.
Hi @rockb,
to ingest wineventlogs you have to use the wineventlog connector created by Splunk because windows eventlogs are encrypted.
As @richgalloway said you have to use a different input option: [Settings -- Data inputs -- Local event log Collection] and automatically the correct sourcetype will associated to the logs: wineventlog:security, wineventlog:application, wineventlog:system.
My hint is to use a different approach:
In this way, you have a more organized data input.
Ciao.
Giuseppe
evtx files are _not_ encrypted. You can move your files around and you can import them into another machine and whatnot. And you don't have to provide any secrets in doing so. So they are not encrypted. They are however encoded so they are not in a plain text format and are thus useless for direct importing with a monitor input.
One could try importing the files into event viewer and setting an Event Log input with the destination log name. Might work but I haven't tried it myself.
Splunk can't read Windows event logs using a monitor input. The usual method is via a WinEventLog input, but that probably won't work with transferred files since WinEventLog expects to get data directly from the local Windows server.
I'm not sure but I think I read somewhere that splunk was able (at least some time ago) to read evt files (not sure about evtx). One caveat - it must have been a windows splunk version - it probably used some system library calls to process the file.
I'm not however sure if the possibility still exists since I haven't seen a windows-based splunk server for a loooooong time.
I have done this before. I got everything set up and working then another employee took over the task. They then moved and took the computer with them. That employee recently moved to another position and UPS "lost" the computer, so I am now trying to get it set up on a new machine.
I do remember when configuring the previous box I used WinEventLog somewhere in the process. I thought it was in the Source Type under operating system but all I see there now is windows_snare_syslog and that does not seem to work either.
The sourcetype to use is 'wineventlog'.
wineventlog was not found but that did get me there.
The correct string is "preprocess-winevt".
It is indexing now. Thank you .