https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118291#M24563 <P>Hi,</P> <P>Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.</P> <P>In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.</P> Wed, 22 Jan 2014 10:28:44 GMT Gilgalidd 2014-01-22T10:28:44Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118289#M24561 <P>Hello,</P> <P>I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :</P> <P>UF v5.0.5 (All Security logs) &gt; HF v5.0.5 (Filtering only 4642/4625/4634 events) &gt; Indexer v6.0 (just index)</P> <P>UF : Basic install with only Security logs configured to be send</P> <P>HF : Listen on and forward only</P> <PRE><CODE>**Props.conf :** [WinEventLog:Security] TRANSFORMS-routing=winEvents_stanza **Transforms.conf** [winEvents_stanza] REGEX=.* DEST_KEY=_TCP_ROUTING FORMAT=winEvents_group **outputs.conf** [tcpout] defaultGroup=defaultGroup [tcpout:defaultGroup] [tcpout:winEvents_group] server = X.X.X.X:xxxx sendCookedData = 0 </CODE></PRE> <P>Indexer : index received data</P> <P>If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.</P> <P>Is HF able to understand the sourcetype WinEventLog:Security ?</P> <P>Any Idea ?</P> <P>Thanks.</P> Fri, 17 Jan 2014 15:19:10 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118289#M24561 Gilgalidd 2014-01-17T15:19:10Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118290#M24562 <P>if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).</P> Tue, 21 Jan 2014 18:43:13 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118290#M24562 yannK 2014-01-21T18:43:13Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118291#M24563 <P>Hi,</P> <P>Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.</P> <P>In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.</P> Wed, 22 Jan 2014 10:28:44 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118291#M24563 Gilgalidd 2014-01-22T10:28:44Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118292#M24564 <P>It works.<BR /> Othewise for WinEventLog only, another option is to create 2 version of the stanza in props.conf <BR /> <CODE><BR /> [WinEventLog:Security]<BR /> TRANSFORMS-routing=winEvents_stanza<BR /> [WinEventLog:security]<BR /> TRANSFORMS-routing=winEvents_stanza<BR /> </CODE></P> Wed, 22 Jan 2014 17:12:33 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118292#M24564 yannK 2014-01-22T17:12:33Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118293#M24565 <P>Oh we can do that ! Nice, maybe i will do change for it.</P> <P>Thanks for your help.</P> Thu, 23 Jan 2014 07:23:12 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-HeavyForwarder-filter-and-send-to-indexer/m-p/118293#M24565 Gilgalidd 2014-01-23T07:23:12Z