https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281253#M53799 <P>Hi</P> <P>I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword<BR /> I'm using following config for Splunk add-on for Windows, but this results in collecting all logs from server.</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD index = wineventlog renderXml=false </CODE></PRE> <P>How can I do this correctly?</P> Tue, 26 Jul 2016 15:55:48 GMT ArsenyKapralov 2016-07-26T15:55:48Z https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281253#M53799 <P>Hi</P> <P>I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword<BR /> I'm using following config for Splunk add-on for Windows, but this results in collecting all logs from server.</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD index = wineventlog renderXml=false </CODE></PRE> <P>How can I do this correctly?</P> Tue, 26 Jul 2016 15:55:48 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281253#M53799 ArsenyKapralov 2016-07-26T15:55:48Z https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281254#M53800 <P>Yes in this way you take all security eventlogs.<BR /> if you want not all logs but only the ones that contain specific words, you have to filter them using props.conf and transforms.conf on your indexer.<BR /> Bye.<BR /> Giuseppe </P> Tue, 26 Jul 2016 16:11:54 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281254#M53800 gcusello 2016-07-26T16:11:54Z https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281255#M53801 <P>Yes, this is traditional way for doing this, but it impacts performance of indexers. </P> <P>As I found in docs (<A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata</A>) I have ability to filter some logs on UF side and filter could be based on regex.<BR /> So my question is what am I doing wrong in my example and how to make it working?</P> Wed, 27 Jul 2016 08:18:19 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281255#M53801 ArsenyKapralov 2016-07-27T08:18:19Z https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281256#M53802 <P>For my Splunk knowledge, Universal Forwarders don't parse logs, parsing is done by Heavy Forwarders and Indexers.</P> <P>There are two ways to don't parse logs on the Indexer:</P> <UL> <LI>put an Heavy Forwarder between Universal Forwarders and Indexer and use it to filter logs,</LI> <LI>get logs not directly from wineventlog but from a script that runs on the Universal Forwarder and writes the filtered logs in a file.</LI> </UL> <P>Bye.<BR /> Giuseppe</P> Sat, 30 Jul 2016 16:33:19 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281256#M53802 gcusello 2016-07-30T16:33:19Z https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281257#M53803 <P>You should be able to do it provided you have the event field name.<BR /> The syntax is - </P> <P><CODE>whilelist = &lt;list&gt; | key=regex [key=regex]</CODE></P> <P>You have so far - </P> <P><CODE>whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD</CODE></P> <P>Based on the doc you provided at <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata">Monitor Windows event log data</A> <BR /> you need to identify the key -</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1640i8033E47E46CEFE2B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 31 Jul 2016 21:57:20 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-Windows-eventlogs-with-whitelist-based-on-word/m-p/281257#M53803 ddrillic 2016-07-31T21:57:20Z