topic How can I split custom Windows Event Logs from the same source into multiple source types? in Getting Data In

How can I split custom Windows Event Logs from the same source into multiple source types?

remygoglio — Wed, 08 Feb 2017 19:05:52 GMT

I have a custom Windows Event Log source that I want to monitor via an universal forwarder.

I'd like to split the events into 2 buckets resulting in 2 different source types in Splunk:
-first bucket is a made of a list of known codes
-second bucket is made of the rest of the events

in inputs.conf of the universal forwarder, I added the following Stanza

[WinEventLog://MyCustomSource]
disabled = 0
start_from = oldest
sourcetype=WinEventLogGeneric
blacklist=10001

[WinEventLog://MyCustomSource]
disabled = 0
start_from = oldest
sourcetype=WinEventLogWellKnownEvents
whitelist=10001

This does not seem to work.

My goal is to end up with 2 different source types, one for the generic events and one for well known events.

How can I do that?

Re: How can I split custom Windows Event Logs from the same source into multiple source types?

kmccririe_splun — Wed, 08 Feb 2017 19:45:19 GMT

The Cisco ASA TA does something similar to what your trying. If you look at the props.conf and transforms.conf that comes with that add-on it will help.

What that app does is takes that one source and assigns it sourcetypes based on regex. So you can split up one source into different sections with regex and give those sections sourcetypes.

Something like this:
inputs.conf:
[WinEventLog://MyCustomSource]
disabled = 0
start_from = oldest
sourcetype=WinEventLog

props.conf:
[WinEventLog]
TRANSFORMS-force_sourcetype_for_windows = wellKnowEvents, GenericEvents

transforms.conf:
[wellKnownEvents]
DEST_KEY - MetaData:Sourcetype
REGEX = < your regex that matches these events >
FORMAT = sourcetype:: < name of sourcetype>

[GenericEvents]
DEST_KEY - MetaData:Sourcetype
REGEX = < your regex that matches these events >
FORMAT = sourcetype:: < name of sourcetype>

Re: How can I split custom Windows Event Logs from the same source into multiple source types?

remygoglio — Fri, 10 Feb 2017 00:02:51 GMT

That does not seem to work.
I looked at other similar questions/answers, and it seems like others have the exact same issue.

What I get is sourcetype=WinEventLog as opposed to the source types set in transforms.conf.

I have even tried my regex in the search: index="myindex" | regex _raw="EventCode=(10001)"

Any other idea?

Re: How can I split custom Windows Event Logs from the same source into multiple source types?

remygoglio — Fri, 10 Feb 2017 00:53:28 GMT

Does the universal forwarder read props.conf?
It does not seem to based on my tests, which would explain why nothing is working.