Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk onboarding Custom Views from EventViewer

dc17
Explorer
‎04-12-2024 05:48 AM

Hello, 

I am trying to create a custom view (also via Xpath) from EventViewer and later insert it into Splunk via a "WinEventLog" and leveraging the Windows Addon.

Can it be done using "WinEventLog" or some other way in inputs.conf as it is for Application/Security/System? 
[WinEventLog://MyCustomLog]

As suggested here I tried this configuration but no logs were onboarded and it returned no error also in _internal logs. 

Has anyone found a custom solution for inserting these newly created custom views from the EventViewer to Splunk?

Thanks

Labels (4)
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-12-2024 11:59 PM

@dc17  - You need to give full path like:

 

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = sysmon
sourcetype = WinEventLog:Sysmon

 

In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs.

 

You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer.

 

I hope this helps!!!

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-16-2024 05:28 AM

@dc17 - Did the solution work for you?? If so, kindly consider accepting the answer for future Splunk users.

 

0 Karma
Reply

dc17
Explorer
‎04-16-2024 05:34 AM

Hi @VatsalJagani , 

Thanks for the reply, could you help me find the full path of the file/.evtx from the EventViewer? I could not find any reference from the EventViewer in my CustomViews of a full path where the Logs are stored. 

If I recollect this full path, I could perform some tests on the solution you kindly proposed to me, 

Thanks

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-16-2024 07:17 AM

@dc17 - I'm not sure what logs you are trying to find in the EventViewer. Is it any known Application logs are you trying to find??

0 Karma
Reply

dc17
Explorer
‎04-16-2024 09:07 AM

Hi @VatsalJagani ,

I am not looking in any logs specifically because I need to create multiple Custom View and configure them with different Xpath queries.  So I am looking on an approach to monitor with WinEventLog these CustomViews.

In the photo an example of CustomView is "Test" folder.
But in the path C:\Windows\System32\winevt\Logs I could not find any reference to this "Test" CustomView.

dc17_1-1713283272111.png

To recap:
"Test" CustomView works fine in the EventViewer and it is updated live with the execution of my query. It contains all the events I am interested (not important which one). However I could not find any path connected to it, where the logs are stored and ready to be collected by a Splunk WinEventLog monitor.


Thanks,

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...