Hi Splunkers!
I would like to know how to define a .evtx file,
I had defined in this way, but it didn't works
[monitor://C:\Windows\System32\Winevt\Logs\Data Security.evtx]
Thanks!
Hi @smanojkumar,
let me understand: you need to index WinEvenLog events, is it correct?
in this case you don't need to monitor an evtx file but there's a dedicated collector.
More more infos see at
https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/MonitorWindowseventlogdata
https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-windows.html
Ciao.
Giuseppe
Hi
On windows node just define that input on inputs.conf like @gcusello told. There are examples on those documents.
If those files are on linux (restored e.g. from backups or something else) you could check it from this old post https://community.splunk.com/t5/Getting-Data-In/Ingesting-offline-Windows-Event-logs-from-different-...
r. Ismo