Hey Guys trying to toubleshoot an issue here. Trying to get the XML events from the UF on Windows machines into splunk.
The normal
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
seems to work, but for some reason if I change to get the extended xml version of
[XmlWinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
it does not send anything through to the indexer.
I am wondering if there is maybe a setting in windows preventing the splunk UF from obtaining the XML exports of the events? anyone able to shed some light on this?
↧