topic Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder? in Getting Data In

How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Sun, 27 Dec 2015 08:47:14 GMT

Hello

How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.

tnx in advance

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Sun, 27 Dec 2015 09:07:56 GMT

Take a look at the whitelist and blacklist attributes:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorWindowsdata

You can even use advanced filtering now (see advanced filtering section)

For question number 2, the way you install a HF is exactly the same as any other Splunk Entrerprise instance. Just configure inputs and outputs accordingly and it'll behave like one. Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Deployaheavyforwarder

Hope that helps.

Thanks,
J

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Sun, 27 Dec 2015 09:58:58 GMT

Tnx for quick reply,
I am unable to see how to download HF , only UF can be downloaded...

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Sun, 27 Dec 2015 10:05:11 GMT

UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Sun, 27 Dec 2015 16:35:16 GMT

thanks a lot

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

esix_splunk — Mon, 28 Dec 2015 01:23:48 GMT

Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Mon, 28 Dec 2015 14:56:14 GMT

Hello again,
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Wed, 30 Dec 2015 14:34:01 GMT

Anyone? ...

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 08:58:47 GMT

Can you paste your inputs.conf stanza here?

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Tue, 29 Sep 2020 08:14:40 GMT

Sure ,
[default]
host = splunk-102
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"

the same stanza appears in /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 09:14:00 GMT

Hi, I've fixed several typos in your config. Try the following on your wineventlog section:

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above

[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist = 4726

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 09:17:22 GMT

And don't forget to restart your splunk service of course.

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Thu, 31 Dec 2015 09:34:32 GMT

corrected it and restart the splunk service but still getting the event 4726

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 09:44:28 GMT

Is the whitelist on your System log stanza working at least?

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Thu, 31 Dec 2015 09:47:20 GMT

yes, i see the event in splunk (event id 7036)

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 09:49:36 GMT

Try the following too that uses advanced filtering. There seems to be some issues on certain versions with blacklists, see this post.

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above

[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist1=EventCode=”4726”

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Thu, 31 Dec 2015 09:57:55 GMT

still the same (

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Thu, 31 Dec 2015 10:02:20 GMT

still the same 😞

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

javiergn — Thu, 31 Dec 2015 10:14:12 GMT

Hi, I can't see your latest comment but I got the email notification.
There's probably too many nested comments above so I'll answer here.

Let's try a whitelist approach for your Security stanza:

[WinEventLog://Security]
disabled = 0
current_only = 1
whitelist = 1100-1108,4608-4725,4727-6416
# More details here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34 — Thu, 31 Dec 2015 11:25:29 GMT

Ok i tried and still able to see the event id 4726 😞