Different sourcetype naming: Splunk 7.2.4 and 8.* ...

afx · ‎03-11-2020

Hi,
all our UF and HF use the following for the Windows input:

[WinEventLog://Security]
sourcetype=XmlWinEventLog:Security
renderXml=1
...

All UF and the cluster is Splunk 7.2.4.2
I recently installed a few HF and there used the latest Splunk Code: 8.0.2

My 7.* UF arrive with the following source type and source:

XmlWinEventLog:Security  XmlWinEventLog

My 8.* HF arrive instead with:

WinEventLog:Security xmlwineventlog

Any Ideas what's going wrong?

I have the Splunk_TA_windows installed on the Search Head which renames all the source types, but that of course applies to all win source types. But it looks like the source type renaming only applies for the HF and it still does not explain why the source is changed as well.

thx
afx

codebuilder · ‎03-16-2020

Verify that props.conf on your 8.* HF's is owned by splunk:splunk. Also, any change to props.conf requires cycling the Splunk daemon to take effect.

----
An upvote would be appreciated and Accept Solution if it helps!

afx · ‎03-17-2020

My 8.* forwarder runs on Windows as local:system.
There is no props.conf for the windows event log on the box. Just an input like on all other windows boxes.

cheers
afx

Different sourcetype naming: Splunk 7.2.4 and 8.* or is it the Heavy Forwarder?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?