https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67683#M13664 <P>I know this question has been asked many times over, but I can't see how my .conf files are different than the working examples. I seem to be getting all EventCodes in my index.</P> <P>Could someone please do a double-check here?</P> <PRE><CODE># apps/search/local/wmi.conf # [default] [WMI:DC Event Logs] disabled = 0 event_log_file = Security interval = 5 server = a-dc-01 # system/local/props.conf (also tried putting this under search) # [source::WMI:WinEventLog:Security] TRANSFORMS-WMISecurityLog = setWMISecurityLogRetain,setWMISecurityLogNull # system/local/transforms.conf (also tried putting this under search) # [setWMISecurityLogNull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setWMISecurityLogRetain] REGEX = (?m)^EventCode=(4662|5136|5137|5138|5139|5141)\D DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>I'm trying to limit the log entries to the IDs above but I'm getting many more EventCodes than I want.</P> <PRE><CODE>EventCode count(EventCode) --------- ---------------- 4662 44 4735 38 4768 84 4769 2413 4770 79 4771 13 4776 162 5159 1870 </CODE></PRE> <P>Thanks in advance, Hugh</P> Fri, 25 Mar 2011 10:33:04 GMT hughkelley 2011-03-25T10:33:04Z https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67683#M13664 <P>I know this question has been asked many times over, but I can't see how my .conf files are different than the working examples. I seem to be getting all EventCodes in my index.</P> <P>Could someone please do a double-check here?</P> <PRE><CODE># apps/search/local/wmi.conf # [default] [WMI:DC Event Logs] disabled = 0 event_log_file = Security interval = 5 server = a-dc-01 # system/local/props.conf (also tried putting this under search) # [source::WMI:WinEventLog:Security] TRANSFORMS-WMISecurityLog = setWMISecurityLogRetain,setWMISecurityLogNull # system/local/transforms.conf (also tried putting this under search) # [setWMISecurityLogNull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setWMISecurityLogRetain] REGEX = (?m)^EventCode=(4662|5136|5137|5138|5139|5141)\D DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>I'm trying to limit the log entries to the IDs above but I'm getting many more EventCodes than I want.</P> <PRE><CODE>EventCode count(EventCode) --------- ---------------- 4662 44 4735 38 4768 84 4769 2413 4770 79 4771 13 4776 162 5159 1870 </CODE></PRE> <P>Thanks in advance, Hugh</P> Fri, 25 Mar 2011 10:33:04 GMT https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67683#M13664 hughkelley 2011-03-25T10:33:04Z https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67684#M13665 <P>I'm still exploring this theory, but it seems like</P> <H1>this doesn't match the events</H1> <P>[source::WMI:WinEventLog:Security]</P> <H1>but this does (specifying sourcetype, as opposed to source).</H1> <P>[WMI:WinEventLog:Security]</P> <P>Does that sound right?</P> Wed, 30 Mar 2011 04:16:32 GMT https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67684#M13665 hughkelley 2011-03-30T04:16:32Z https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67685#M13666 <P>If you want to keep only the events listed in setWMISecurityLogRetain and drop the rest, please invert the order of your transforms.<BR /> <PRE><BR /> TRANSFORMS-WMISecurityLog = setWMISecurityLogNull,setWMISecurityLogRetain<BR /> </PRE><BR /> BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf <BR /> [wmi] in splunk 4.1<BR /> [WMI:WinEventLog:Security] in 4.2</P> <P>please try then both, or use them both if you have a mix of forwarder's versions to cover them all.</P> Wed, 29 Jun 2011 19:49:25 GMT https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67685#M13666 yannK 2011-06-29T19:49:25Z https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67686#M13667 <P>UPDATE splunk 6.*<BR /> Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.</P> <P>see <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> <P>example:</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> blacklist=566,800-850</P> Fri, 25 Oct 2013 23:33:15 GMT https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67686#M13667 yannK 2013-10-25T23:33:15Z https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67687#M13668 <P>see example :<BR /> Additional method to filter since Splunk 6.*<BR /> <A href="http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes">http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes</A></P> Tue, 31 Dec 2013 21:40:46 GMT https://community.splunk.com/t5/Getting-Data-In/Remote-Event-Log-Windows-Filtering-by-EventCode-not-working/m-p/67687#M13668 yannK 2013-12-31T21:40:46Z