https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60540#M12019 <P>BTW, WinEventLog:* did not work. Splunk expects the Security/Application/System facility keywords there.</P> Sat, 20 Aug 2011 22:42:56 GMT splunker30039 2011-08-20T22:42:56Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60534#M12013 <P>I am not able to only forward certain interesting Windows events and ignore the rest. Running 4.2.x on both forwarder and indexer/receiver.</P> <P>It ignores my restrictions and sends all Windows logs, as if props/transforms in local\ does not get acknowledged..</P> <P>props:</P> <PRE><CODE>[source::WinEventLog...] TRANSFORMS-wmi = events-filter, events-null [source::WinEventLog...] TRANSFORMS-wmi = events-filter, events-null </CODE></PRE> <P>transforms:</P> <PRE><CODE>[events-null] REGEX = . DEST_KEY = queue FORMAT = nullQueue [events-filter] REGEX=(?msi)^EventCode=(4625|4624|7036|1102|1033) DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>Tried both <CODE>[source::WinEventLog...]</CODE> and <CODE>[WMI:WinEventLog...]</CODE>, doesnt make a difference.</P> <P>Driving me crazy, please assist.</P> Fri, 19 Aug 2011 04:18:50 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60534#M12013 splunker30039 2011-08-19T04:18:50Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60535#M12014 <P>I don't think you want to use the ... wildcard for Windows events logs sources. I'm not a Windows expert, but I suggest that you try</P> <PRE><CODE>[source::WinEventLog*] </CODE></PRE> <P>Have you tried selecting by sourcetype instead of source?</P> Fri, 19 Aug 2011 05:12:45 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60535#M12014 lguinn2 2011-08-19T05:12:45Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60536#M12015 <P>Have to admit that I am slightly confused about the WMI VS source VS sourcetype, especially the Windows/Splunk changes since 4.2 etc. Is anyone else forwarding Windows logs and filtering on 4.2.x Splunk?</P> Fri, 19 Aug 2011 14:58:05 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60536#M12015 splunker30039 2011-08-19T14:58:05Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60537#M12016 <P>In your props.conf, use <CODE>[WinEventLog:Security]</CODE>, skipping the source:: part, as you actually want to use a sourcetype definition. You should be able to use <CODE>[WinEventLog:*]</CODE> to apply this to all windows event logs, but I haven't tried doing this before, so I am 100% not sure.</P> Sat, 20 Aug 2011 03:03:34 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60537#M12016 ftk 2011-08-20T03:03:34Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60538#M12017 <P>Working now.<BR /> <PRE><BR /> props.conf:</PRE></P> <P>[WinEventLog:Security]<BR /> TRANSFORMS-security= events-null, events-null3, events-filter</P> <P>[WinEventLog:System]<BR /> TRANSFORMS-system= events-null, events-filter</P> <P>[WinEventLog:Application]<BR /> TRANSFORMS-application= events-null, events-filter</P> <P>transforms.conf:<BR /> [events-null]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[events-null3]<BR /> REGEX=Logon Type=\s*(3)\D<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[events-filter]<BR /> REGEX=(?msi)^EventCode=(5157|4625|4624|7036|1102|1033)\D<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue<BR /> </P> <P><STRONG>Key issues:</STRONG></P> <UL> <LI>make sure null filter is before any other event filters </LI><LI>make sure it is on splunk 4.2+. If you have other apps installed, their config files may conflict </LI><LI>Windows splunk seems to be pretty shaky, lots of bugs, bugfixes. I am on 4.2.2, working fine. </LI></UL> Sat, 20 Aug 2011 22:33:46 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60538#M12017 splunker30039 2011-08-20T22:33:46Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60539#M12018 <P>BTW, the logon type 3 null filter filters out automated logins, something that clogs up logs and I did not care about. The event IDs are for successful logins/failed logins, application installs and service restarts. I am using one filter for all three facilities, working fine.</P> Sat, 20 Aug 2011 22:40:48 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60539#M12018 splunker30039 2011-08-20T22:40:48Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60540#M12019 <P>BTW, WinEventLog:* did not work. Splunk expects the Security/Application/System facility keywords there.</P> Sat, 20 Aug 2011 22:42:56 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60540#M12019 splunker30039 2011-08-20T22:42:56Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60541#M12020 <P>I'm having a similar issue. How does splunk classify these logs as WinEvenLog? My previous, working, installation had </P> <P>props.conf</P> <P>[default]</P> <P>TRANSFORMS-wmi=wminull</P> <P>transforms.conf</P> <P>[wminull]</P> <P>REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)\D<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> Tue, 24 Apr 2012 23:49:33 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60541#M12020 mayler 2012-04-24T23:49:33Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60542#M12021 <P>I'm having a similar issue. How does splunk classify these logs as WinEvenLog? My previous, working, installation had</P> <P>props.conf</P> <P>[default]</P> <P>TRANSFORMS-wmi=wminull</P> <P>transforms.conf</P> <P>[wminull]</P> <P>REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)D DEST_KEY=queue FORMAT=nullQueue</P> Tue, 24 Apr 2012 23:50:00 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60542#M12021 mayler 2012-04-24T23:50:00Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60543#M12022 <P>It worked perfect when I set those values on HeavyForwarder configurations.</P> Fri, 16 Aug 2013 17:07:27 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60543#M12022 fabiocaldas 2013-08-16T17:07:27Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60544#M12023 <P>On the latest Splunk versions 6.0+ you will want to have the Splunk_TA_Windows installed on the Forwarder and Indexer/Search Head tiers. This TA will extract the Event Code fields for you from Windows Event Logs. </P> <P>Don't forget to also turn on auditing and domain policies for the specific events you want to collect.</P> <P>Check out the Splunk Blog post about Windows Event Filtering <BR /> <A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/" target="_blank">http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/</A></P> Mon, 28 Sep 2020 17:43:36 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-event-logs/m-p/60544#M12023 mcronkrite 2020-09-28T17:43:36Z