Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

windows evtx logs to splunk linux deployment using a universal forwarder

d4rk_sp1d3r
Loves-to-Learn Lots
‎04-30-2020 08:38 AM

i am trying to forward logs from a windows server to a linux splunk enterprise using the universal forwarder. the application.evtx file was transfered to folder D:\Archive_Logs\Application_Logs\Application.evtx instead of the regular folder where application logs are stored. I used the inputs.conf to monitor the file using [monitor://d:\Archive_Logs\Application_Logs\Application.evtx] . It seems to have ingested it but i only got 1 event with unreadable data. This is the same unreadable data when I try to use Add Data In feature in splunk. I read the document from https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/MonitorWindowseventlogdata and says there are some issues about using linux splunk for monitoring windows event logs. Not sure why this is not working because we also have other servers with windows event logs being sent to the same linux splunk enterprise but those are using the regular [WinEventLog://Application] input. Why does this happen and how can i get our logs sent to splunk? We have a splunk deployment with a deployment master pushing apps to windows servers.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wyfwa4
Communicator
‎04-30-2020 09:39 AM

The issue is that files in .evtx format are not readable - they are a custom binary format used by Microsoft. So even if you tries to read them on a Windows based Splunk server, it would not work. If they are sitting on a disk folder, then somebody has exported them and they are no longer Windows event logs, but just files containing data extracted from a windows event log.

When using the standard Splunk Windows logs collection process - [WinEventLog://Application] - this is using API calls to read each event, rather than trying to read a file directly on disk.

You will need to either convert the files to readable text, or switch to reading the events within the eventlog before being exported. There seems to be some details on using the tool WEVTUTIL to perform this conversion.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log...

View solution in original post

Reply
Solved! Jump to solution

rvany
Communicator
2 weeks ago

This is just to add some pieces of information.

The Windows Event Log data is written to disk at least before and after a reboot or a restart of the "Windows Event Log" service. These files are then saved under C:\Windows\System32\winevt\Logs with names such as Application.evtx or Security.evtx

These files are in a somehow "binary" format, but this format is known and there are tools to extract their data in text format. E.g. using the Python language there's a module named "python-evtx".

I did not try using this module inside a Linux based Indexer to directly read the data from the files.

Doing this is probably a bad idea for the standard Windows Event Logs as these are best read using the solution provided above, but in case of "standalone" event files, which other applications might create, using such tools is a way to go.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago
Here is one old answer for indexing windows .evtx files.
https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-...
0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
2 weeks ago

Thank you for the link(s). Would be great if Splunk had included this important bit of information in their docs...

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago
I think that as those are usually ingested directly in windows nodes via correct input method, this is not a normal use case. Those who needs to investigate those files later usually already knows how this can do.
0 Karma
Reply
Solved! Jump to solution
Solution

wyfwa4
Communicator
‎04-30-2020 09:39 AM

The issue is that files in .evtx format are not readable - they are a custom binary format used by Microsoft. So even if you tries to read them on a Windows based Splunk server, it would not work. If they are sitting on a disk folder, then somebody has exported them and they are no longer Windows event logs, but just files containing data extracted from a windows event log.

When using the standard Splunk Windows logs collection process - [WinEventLog://Application] - this is using API calls to read each event, rather than trying to read a file directly on disk.

You will need to either convert the files to readable text, or switch to reading the events within the eventlog before being exported. There seems to be some details on using the tool WEVTUTIL to perform this conversion.

https://techcommunity.microsoft.com/t5/ask-the-performance-team/windows-vista-and-exported-event-log...

Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...