Getting Data In

Windows TA App not Extracting properly

izyknows
Path Finder

I have a Splunk Enterprise deployment. I want to get Windows logs in (Application, system).

I am using the Windows TA for Splunk (https://splunkbase.splunk.com/app/742/) because I want it's field extractions/transforms. I also have my own TA with a custom inputs.conf which I use to specify which logs I want to collect. So 2 apps

  • Windows TA - for transforms
  • My custom app - for the inputs.conf

The Windows TA app has been installed on the deployment clients via the server. The stanzas in inputs.conf have `disabled=1` . The custom app has also been deployed via the deployment server with all stanzas in inputs.conf having `disabled=0`.  There is no TA installed on the Splunk server, only on the UF (deployment client).

Hence, I _assume_ that it will collect the logs specified in my custom inputs.conf and apply the transforms from the Windows TA. Below is a snippet of my custom inputs.conf

 

 

 

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows

[WinEventLog://System]
disabled = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows


[WinEventLog://Application]
disabled = 0
renderXml=true
evt_resolve_ad_obj = 1
index = windows

 

 

 

 

However, in Splunk, I see the data but without any extractions as below

izyknows_0-1624384583843.png

I tried to set a stanza in the Windows TA to `disabled=0` and I still don't no extractions. Do I need to enable the transforms somewhere? Or any ideas why extraction isn't happening for me regardless of whether I use my custom inputs.conf or the Windows TA inputs.conf?

Additionally, can I ask - how does one know whether an app is to be installed on the server or indexer or UF/HF, etc.? I did not find any indication on the app page of this. Hence here, I've only installed the app on the UF.

 

Labels (2)
0 Karma
1 Solution

izyknows
Path Finder

I ended up uninstalling my custom created app and using the inbuilt windows one. I modified the inputs.conf of the Windows TA to have my monitoring. However, I still wasn't getting the right extractions.

Finally, via the Splunk UI, I went to manage apps and installed the Windows_TA app via the UI. This did the trick, I now see the field extractions.

View solution in original post

0 Karma

izyknows
Path Finder

I ended up uninstalling my custom created app and using the inbuilt windows one. I modified the inputs.conf of the Windows TA to have my monitoring. However, I still wasn't getting the right extractions.

Finally, via the Splunk UI, I went to manage apps and installed the Windows_TA app via the UI. This did the trick, I now see the field extractions.

0 Karma

Funderburg78
Path Finder

yeah, you should not have that inputs.conf in your Splunk/apps/splunkuniversalforwarder directory.  When you redeployed the app to the client, did you uninstall it first, then ensure the restart splunk button was checked?  I would check your clients splunkhome/etc/app/windows_TA/local/inputs.conf and verify it got the updated config, then restart splunk on the client.  Also, i assume yhou ensured the client has an outputs.conf.  if you uninstalled your custom app and it had the outputs.conf then that is why it is not sending logs to the indexer.  

0 Karma

izyknows
Path Finder

Wait, a rather basic question - but will an inputs.conf only be applied if it's within the /local/ directory? Right now, even in my custom app, I would create configuration files only in the /default/ directory. I was following this guide for creating and deploying custom apps: https://docs.splunk.com/Documentation/Splunk/8.2.0/Updating/Extendedexampledeployseveralstandardforw...

And within that, they mentioned to create the inputs.conf within the default directory.

Regarding output.conf - If you see the link I posted above, they have a separate app called "fwd_to_splunk" which contains the outputs.conf. I use it similarly. There's an outputs.conf within the default folder of that app that defines where to send the data.

Regarding uninstalling/restarting - In my forwarder management, all the apps I have there (Windows TA + custom app + forwarder app) have the "Restart Splunk" button checked. When I make changes to my configs, I save the files and from my splunk server, I only run `splunk reload deploy-server` . So I do not explicitly do any "uninstallation" of the apps on the client side. Is that a problem?

 

0 Karma

Funderburg78
Path Finder

After modifying apps, I strongly suggest you uninstall and redploy the app.

Tags (1)
0 Karma

Funderburg78
Path Finder

The transforms and props.conf have to be in the same application as the inputs.conf.  Instead of using a custom app, have you tried putting your inputs.conf into the local directory of the Windows_TA?  

so in Windows_TA\Local\inputs.conf 

 

This is what the local directory was for.  you can use the windows_TA but only enable the inputs you want, or even modify the settings for the inputs to put them in different indexes.  I would be careful not to mess with the sourcetypes, make sure you leave the defaults as this is how the props.conf and transforms.conf idenitifes what to data to apply the settings to.   I see you have no sourcetypes listed in the above inputs.conf this may be a part of your problem.  Either way, do not use a seperate app for inputs, jsut copy the inputs.conf from the default directory of the windows_TA to the local directory and only enable the features you want.

0 Karma

izyknows
Path Finder

Hi Thanks for the response! I did not know that you can't have have the inputs.conf away from the transforms/props. I assumed Splunk would scan all inputs.conf with disabled=0 across all apps. And similar for other configs.

I've added my custom inputs.conf into the windows_ta\local\inputs.conf and deployed it. But no luck. I don't even get back any logs now, let alone extractions.

Additionally, I'm not sure if it makes a difference, but I also saw on my client,

SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

the following

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

 

I don't know how this inputs.conf got defined at all but I've set them to disabled=1 for now. However, getting no logs in Splunk now 😕

 

Any tips?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...