New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Vice Admiral
Vice Admiral
1060 views

Collect Windows Event Log

Hello,

I have configured a Windows Unified Smart connector and the connector is collecting logs that are getting generated on the server's Event Viewer (Windows Domain Controller). 

I would like to collect the logs before the installation of the smart connector, is this possible? I have the evtx files (Security.evtx in my case) of events prior to the installation of the connector available.

I followed this link:

https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Import-of-Windows-Event-Logs-evtx-and-Oracle-DB-Audit-Logs/m-p/1506821#M1114

but LogParser 2.2 the logs did not appear correctly and add unwanted strings to the output file.

if I exported the logs from the evtx format viewer in txt format, would there be a smart connector that performs the parser (or, in any case, collections it correctly)?

Thanks,

Best Regards

0 Likes
4 Replies
Highlighted
Captain
Captain

If I understand. You need logs from beginning of logging on host?

You my try Advanced Configuration Parameter startatend=false

See WUC documentation page 36-37

https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Windows-Event-Log-Unified/ta-p/1585246

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi @biancom,

I have a windows domain controller from which I want to collect the logs (Security Log).

I installed the connector today (November 30, 2018), but I would like to import (collect) the logs (for example) of 1 October 2018 (of which I have the backup file Security.evtx).  How can I get backup logs to the connector?

Thanks,

regards

0 Likes
Highlighted
Captain
Captain

This is little bit difficult case. I don't have experiences with this. 😞

Try google. Something like "evtx to arcsight"

 

 

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Have you tried the solution mentioned in this link:

https://community.softwaregrp.com/t5/ArcSight-User-Discussions/read-from-multiple-evtx-file/td-p/1546349 

It seemed to work for the guy who asked a similar question.

Furthermore in your delimited parser (fairly simple) you should map the ETVX fields to the same fields as parsed by the WINC/WUC connector.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.