Can you index evtx on linux heavy forwarder? 4.3

well the universal forwarder will just forwarder data and NOT parse it (i.e. run it through the props/transforms actions) so it will not have the api available to parse and the linux indexer will not have the api either...so.

I'd recommend a heavy forwarder (or basically a full splunk instance with the web turned off) on the windows host in this case so that you can parse the data at read time and then forward it over already cooked to the linux indexer.

thanks. i have tried with full splunk. still the same. do i need to configure anything special in inputs, props or transforms.conf to make sure it cooks the data first... i only have inputs.conf.

do i need to do something different in inputs.conf?
[monitor://$SPLUNK_HOMEevtmon recursive = false sourcetype = sevtx index = indevtx

i tried [WinEventLog://$SPLUNK_HOMEevtmon but nothing gets forwarded

@bob999: try configuring your Windows forwarder to use an input like so.

[monitor://c:\import_exported_EVT\] 
host_segment = 3 
recursive = true 
queue = winparsing 
crcSalt = <source>

No this didnt work either. there must be some config to tell it to cook the data? the queue = winparsing didint work.

Hmm...OK maybe we could tackle this in a different way.

The next things I'd try doing is going back to the universal forwarder on the windows boxens, and then a windows(there seem to be differing comments on whether it will work on linux) indexer with the http://splunk-base.splunk.com/apps/22315/splunk-app-for-windows app loaded? This might be able to read those EVT files correctly?

It definitely sounds like an API related issue that the forwarder can't parse the files so the indexer is likely rejecting it as binary input. Maybe with the app on the indexer will do the trick.