https://community.splunk.com/t5/Getting-Data-In/Issue-filtering-events-from-windows-secutiry-log-going-into/m-p/177178#M35518 <P>I am having difficulty filtering the Windows security logs. I have attempted to restrict the event IDs being sent but at the moment the entire security log is being indexed. Here is my currently deployed configuration. Any help would be greatly appreciated. </P> <P>Inputs.conf</P> <P>[WinEventLog:Security]<BR /> disabled=0<BR /> evt_resolve_ad_obj = 1</P> <P>index = security</P> <P>[WinEventLog:rDirectory]<BR /> disabled=0</P> <P>Props.conf</P> <P>[source::WinEventLog:Security]<BR /> TRANSFORMS-set= setnull,setparsing,setparsing2</P> <P>Transforms.conf</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue </P> <P>[setparsing]<BR /> REGEX=(?m)^EventCode=<BR /> (530|531|532|533|534|535|536|537|529|560|566|624|626|627|628|629|630|631|632|633|634|635|636|637|638|639|640|641|642|643|644|645|646|647|648|649|650|651|652|653|654|655|656|657|658|659|660|661|662|663|664|665|666|667|668|669|670|671|675|676|681|684|685|686|687|688|689|690|691|692|693|694|695|696|697|4625|4648|4656|4662|4706|4707|4713|4720|4723|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4738|4739|4740|4754|4755|4756|4757|4758|4767|4768|4771|4776|4780|4781|4786|4787|4788|4789|4790|4791|5136|5137)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[setparsing2]<BR /> REGEX=(?m)^Accesses=<BR /> (ListAccounts|DELETE|WRITE_DAC|WRITE_OWNER|WritePreferences|WriteAccount|SetPassword)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Mon, 28 Sep 2020 16:42:56 GMT briandickinson 2020-09-28T16:42:56Z https://community.splunk.com/t5/Getting-Data-In/Issue-filtering-events-from-windows-secutiry-log-going-into/m-p/177178#M35518 <P>I am having difficulty filtering the Windows security logs. I have attempted to restrict the event IDs being sent but at the moment the entire security log is being indexed. Here is my currently deployed configuration. Any help would be greatly appreciated. </P> <P>Inputs.conf</P> <P>[WinEventLog:Security]<BR /> disabled=0<BR /> evt_resolve_ad_obj = 1</P> <P>index = security</P> <P>[WinEventLog:rDirectory]<BR /> disabled=0</P> <P>Props.conf</P> <P>[source::WinEventLog:Security]<BR /> TRANSFORMS-set= setnull,setparsing,setparsing2</P> <P>Transforms.conf</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue </P> <P>[setparsing]<BR /> REGEX=(?m)^EventCode=<BR /> (530|531|532|533|534|535|536|537|529|560|566|624|626|627|628|629|630|631|632|633|634|635|636|637|638|639|640|641|642|643|644|645|646|647|648|649|650|651|652|653|654|655|656|657|658|659|660|661|662|663|664|665|666|667|668|669|670|671|675|676|681|684|685|686|687|688|689|690|691|692|693|694|695|696|697|4625|4648|4656|4662|4706|4707|4713|4720|4723|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4738|4739|4740|4754|4755|4756|4757|4758|4767|4768|4771|4776|4780|4781|4786|4787|4788|4789|4790|4791|5136|5137)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[setparsing2]<BR /> REGEX=(?m)^Accesses=<BR /> (ListAccounts|DELETE|WRITE_DAC|WRITE_OWNER|WritePreferences|WriteAccount|SetPassword)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Mon, 28 Sep 2020 16:42:56 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-filtering-events-from-windows-secutiry-log-going-into/m-p/177178#M35518 briandickinson 2020-09-28T16:42:56Z https://community.splunk.com/t5/Getting-Data-In/Issue-filtering-events-from-windows-secutiry-log-going-into/m-p/177179#M35519 <P>Any chance you are on splunk 6?</P> <P>You can filter event codes at the forwarders now.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata</A></P> Sun, 25 May 2014 19:13:42 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-filtering-events-from-windows-secutiry-log-going-into/m-p/177179#M35519 okrabbe_splunk 2014-05-25T19:13:42Z