https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84951#M17682 <P>Hi,</P> <P>Running a trial of splunk 4.2 on windows 2008, attempting to filter before entering the index queue. Objective to "account management" security events and drop all other events.</P> <P>The only data to enter index is <BR /><BR /> source="WMI:WinEventLog:Security" CategoryString="Account Management"</P> <P>I have created props.conf and transforms.conf in C:\Program Files\Splunk\etc\system\local tried a few different combinations, but so far no progress.</P> <P><B>props.conf</B> </P> <BLOCKQUOTE> <P>[WinEventLog:Security]<BR /><BR /> TRANSFORMS-evtlog = wmi-filter,wmi-null`</P> </BLOCKQUOTE> <P><B>transforms.conf</B> </P> <BLOCKQUOTE> <P>[wmi-null]<BR /><BR /> REGEX = .<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = nullQueue </P> <P>[wmi-filter]<BR /><BR /> REGEX=(?msi)^(CategoryString=Account Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue </P> </BLOCKQUOTE> <P>welcome some guidance, thanks</P> Wed, 20 Apr 2011 05:01:40 GMT android_74 2011-04-20T05:01:40Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84951#M17682 <P>Hi,</P> <P>Running a trial of splunk 4.2 on windows 2008, attempting to filter before entering the index queue. Objective to "account management" security events and drop all other events.</P> <P>The only data to enter index is <BR /><BR /> source="WMI:WinEventLog:Security" CategoryString="Account Management"</P> <P>I have created props.conf and transforms.conf in C:\Program Files\Splunk\etc\system\local tried a few different combinations, but so far no progress.</P> <P><B>props.conf</B> </P> <BLOCKQUOTE> <P>[WinEventLog:Security]<BR /><BR /> TRANSFORMS-evtlog = wmi-filter,wmi-null`</P> </BLOCKQUOTE> <P><B>transforms.conf</B> </P> <BLOCKQUOTE> <P>[wmi-null]<BR /><BR /> REGEX = .<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = nullQueue </P> <P>[wmi-filter]<BR /><BR /> REGEX=(?msi)^(CategoryString=Account Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue </P> </BLOCKQUOTE> <P>welcome some guidance, thanks</P> Wed, 20 Apr 2011 05:01:40 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84951#M17682 android_74 2011-04-20T05:01:40Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84952#M17683 <P>Android,</P> <P>The issue could be with props.conf above. If your data is being indexed as WMI:WinEventLog:Security, your <CODE>&lt;spec&gt;</CODE> stanza within props.conf should reflect:</P> <PRE><CODE>## props.conf [WMI:WinEventLog:Security] TRANSFORMS-evtlog = wmi-null,wmi-filter </CODE></PRE> <P>UPDATE: For TRANSFORMS you want to place your catch all as the first property to run.</P> Wed, 20 Apr 2011 21:10:29 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84952#M17683 hazekamp 2011-04-20T21:10:29Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84953#M17684 <P>unfortunately this change has still has not had the desired outcome, all of the eventlog is till coming thru. Thanks for your assistance.</P> Thu, 21 Apr 2011 01:38:10 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84953#M17684 android_74 2011-04-21T01:38:10Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84954#M17685 <P>trying out</P> <P>[source::(?-i)WMI:WinEventLog:Security]<BR /><BR /> TRANSFORMS-evtlog = wmi-filter,wmi-null</P> Thu, 21 Apr 2011 01:56:54 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84954#M17685 android_74 2011-04-21T01:56:54Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84955#M17686 <P>okay... just tried:</P> <P>props.conf</P> <BLOCKQUOTE> <P>[WMI:WinEventLog:Security]<BR /><BR /> TRANSFORMS-evtlog = wmi-null,wmi-filter </P> </BLOCKQUOTE> <P>and it is working!.. which is very confusing. I did swap the tranforms around, but still.</P> <P>thank you.</P> Thu, 21 Apr 2011 05:36:33 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84955#M17686 android_74 2011-04-21T05:36:33Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84956#M17687 <P>If it helps, this is pretty much my final for auditing changes to active directory</P> <BLOCKQUOTE> <H2>props.conf</H2> <P>[WMI:WinEventLog:Security]<BR /><BR /> TRANSFORMS-evtlog = wmi-null,wmi-filter,wmi-filter28user,wmi-filter28SecGrp,wmi-filter28DlGrp </P> <H2>transforms.conf</H2> <P>[wmi-null]<BR /><BR /> REGEX = .<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = nullQueue<BR /><BR /> [wmi-filter]<BR /><BR /> REGEX=(?msi)^(CategoryString=Account Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue<BR /><BR /> [wmi-filter28user]<BR /><BR /> REGEX=(?msi)^(CategoryString=User Account Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue</P> </BLOCKQUOTE> Mon, 28 Sep 2020 09:30:01 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84956#M17687 android_74 2020-09-28T09:30:01Z https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84957#M17688 <BLOCKQUOTE> <P>[wmi-filter28SecGrp]<BR /><BR /> REGEX=(?msi)^(CategoryString=Security Group Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue </P> <P>[wmi-filter28DlGrp]<BR /><BR /> REGEX=(?msi)^(CategoryString=Distribution Group Management)<BR /><BR /> DEST_KEY = queue<BR /><BR /> FORMAT = indexQueue</P> </BLOCKQUOTE> Wed, 27 Apr 2011 00:38:35 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-Filter-event-log-security-Category-string/m-p/84957#M17688 android_74 2011-04-27T00:38:35Z