Getting Data In

sourcetype for windows event logs

mikefoti
Communicator

This question deals with identifying fields within events from a windows event log (i.e. the Application, System or Security log) manually exported from the windows EventVwr.

I know I can use a Splunk Universal Forwarder to monitor the logs and forward events for indexing as they occur… but in this case I need to troubleshoot a system that is not forwarding events. So I manually export, for example, the System event log. In doing so I have 3 options. I may export a log and save it as a .evt, a .csv or a .txt file. For testing, I have exported it in all 3 formats. I then used the Splunk UI to Add Inputs. First, when selecting the “sourcetype” I selected Automatic. I then selected From List, and tested csv, csv-2, csv-3, syslog and Log4J. My best results came when indexing the .Txt file using either sourcetype Automatic or Log4J…. but I was surprised to find that none of the combinations automatically identified the windows event Source, Type, Category or event EventID, etc.

So I guess I have 2 questions:

1.What happens behind the scenes when I select from the various sourcetypes available on the Data Inputs screen?
2.Is there a tried and true method for automatically indentifying these basic windows event log fields so next week, when troubleshooting another windows system, I won’t have to re-extract these basic fields?

Tags (2)
0 Karma
1 Solution

dart
Splunk Employee
Splunk Employee

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

View solution in original post

dart
Splunk Employee
Splunk Employee

Windows event logs should be importable as .evt or .evtx files, however you need to be running your indexer on Windows to do so.

The default sourcetype would be WinEventLog: followed by the source log, for example for the Application log it would be WinEventLog:Application, however automatic sourcetype assignment should work, and fields should be extracted.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...