Splunk Enterprise Security

Can you answer my question about WinEventLogs and XML in Splunk Enterprise Security?: (sourcetype=XmlWinEventLog vs. sourctype=WinEventLog)

GenericSplunkUs
Path Finder

General Splunk question on ingesting Windows Event Logs.

We're currently using XML to ingest all of our Windows Event Logs, and I'm looking for some documentation on the reasons to use this or not to use this. And, if we can ingest without the XML, are there good ways to reduce the extra logging volume that creates?

I've been googling for a while, if someone could help me out with an explanation or preferably a document you have saved (or several of them) that I can read through to get a better understanding of this.

Much Thanks!

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Did you check this out?

https://answers.splunk.com/answers/618959/windows-security-events-xml-vs-non-xml-format.html

I personally feel the non-xml is good from readability point of view. You can always use 'sed' to trim of unwanted text/empty lines to reduce license/disk space (if that's of concern).

I have also come across people suggesting the use of xml may improve the rendering and parsing of the events, when the splunk pulls the windows events through the API, but, haven't seen much (myself).

Are you seeing any problem which you think could be addressed by non-xml?

View solution in original post

0 Karma

ishan_splunk
Splunk Employee
Splunk Employee

Use Splunk add-on for Windows https://splunkbase.splunk.com/app/742/

It has a very good support of plain text as well as xml wineventlog by providing specific field extractions for some logs and provides generic field extractions for other logs.

It also fixes some field extractions issues in auto extracted fields by Splunk from both plain text and xml

My recommendation is to use XML format which seems faster in retrieving from windows and faster search time parsing in Splunk

lakshman239
SplunkTrust
SplunkTrust

Did you check this out?

https://answers.splunk.com/answers/618959/windows-security-events-xml-vs-non-xml-format.html

I personally feel the non-xml is good from readability point of view. You can always use 'sed' to trim of unwanted text/empty lines to reduce license/disk space (if that's of concern).

I have also come across people suggesting the use of xml may improve the rendering and parsing of the events, when the splunk pulls the windows events through the API, but, haven't seen much (myself).

Are you seeing any problem which you think could be addressed by non-xml?

View solution in original post

0 Karma

GenericSplunkUs
Path Finder

I had not seen that one. Thanks!

Reading the threads now.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!