topic Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index? in Getting Data In

How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Mon, 29 Sep 2014 21:45:56 GMT

We have a new Splunk server. We have installed the universal forwarder on the server and it is currently sending the events to the main index. We would like all Windows events to go to the Windows index. How do I change where these events are go? I would like to do it from the server side if possible.

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

sk314 — Mon, 29 Sep 2014 22:50:17 GMT

Have you tried adding an index =[your index] line to the inputs.conf file on your forwarder?

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Tue, 30 Sep 2014 11:44:56 GMT

No... If I do it that way, every server has to be installed and then configured with the modification. The probability of mistakes on at least some servers is almost 100 percent as we do all of the servers. Is there no way to tell the server to put that traffic in a different index?

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

somesoni2 — Tue, 30 Sep 2014 11:57:55 GMT

You configure your forwarder manually or using deployment server?

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Tue, 30 Sep 2014 12:31:58 GMT

I have been doing it manually, but it sounds like you are suggesting that a deployment server might make the configuration a bit easier? We want to ensure we maintain tight security. I will look into the deployment server to see if that makes the process easier / more consistent.

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

ltrand — Tue, 30 Sep 2014 15:18:08 GMT

Either using the deployment server (Splunk Only) or using something like Puppet or Chef (universal automation tools) will allow you to manage the entire environment from a single point.

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Mon, 28 Sep 2020 17:47:06 GMT

We found an option to modify the props.conf and transforms.conf. We made it work on one Splunk server, but not the second one. The method looks like this on the working server.

in /opt/splunk/local/props.conf

add lines

[WinEventLog:Security]
TRANSFFORMS-windows=windows_security

in /opt/splunk/local/transforms.conf

[windows_security]
REGEX = (.*)
FORMAT =
DEST_Key = MetaData:Index
WRITE_META = true

Why would it work on one server and not the other.

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Thu, 02 Oct 2014 20:35:19 GMT

And I know why it doesn't work, but I don't know what the line means...

In /opt/splunk/etc/system/local/props.conf are some lines that do not exist in the server that works. One of those lines is as follows:

TRANSFORMS = syslog-host

If I comment this line out, the changes made to redirect the security log start working. If I turn it off, the lines stop working. I am guessing an application we installed made this change, but I don't really understand what the line means. Any one understand why this might be needed?

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911 — Thu, 02 Oct 2014 20:58:24 GMT

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.