topic Re: How to monitor a specific Windows Application EventCode? in Getting Data In

How to monitor a specific Windows Application EventCode?

ericlarsen — Thu, 31 Aug 2017 15:06:56 GMT

I'm trying to monitor a specific Windows Application EventCode (via a whitelist), yet the events are not being sent to Splunk.

I've found numerous posts on the answers site, most of them with different configs, but I've yet to find one that works. What's stated in the documentation (http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27) does not work as specified.

I've tried both of these stanzas with no luck:

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="^3000$"

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="3000"

I'm running v6.6.1. Any help would be appreciated.
Thanks.

Re: How to monitor a specific Windows Application EventCode?

gcusello — Thu, 31 Aug 2017 15:13:48 GMT

Hi ericlarsen,
in whitelist, you have to insert a regex not a string, try with

whitelist = EventCode\=\"3000\"

check if the message is effectively EventCode="3000", I'm not sure of brackets.

Bye.
Giuseppe

Re: How to monitor a specific Windows Application EventCode?

ericlarsen — Thu, 31 Aug 2017 17:43:33 GMT

I don't think the quotes are needed (I don't see them in the actual Event Log details).

I've tried all of the following with no luck:
1. whitelist = EventCode=\"3000\"
2. whitelist = EventCode=3000
3. whitelist = EventCode=3000

The documentation is very straightforward as to how this should work. Very frustrating it doesn't function as advertised.

Re: How to monitor a specific Windows Application EventCode?

gcusello — Fri, 01 Sep 2017 07:03:14 GMT

Hi ericlarsen,
at first verify if regex is correct using a simple searchç:
index=wineventlog | regex "EventCode=3000"
you should have only events with EvenCode=3000.
Sometimes EventCode is expressed as EventId and sometimes there are spaces.

If regex is correct I suggest to use a different approach to filter events: see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad and filter data before indexing.
I know that this requireme more bandwidht occupation but it's a sure method.

Bye.
Giuseppe

Re: How to monitor a specific Windows Application EventCode?

ericlarsen — Fri, 01 Sep 2017 13:10:14 GMT

Thanks for the response.

I've verified that index=myIndex | regex "EventCode=3000" works in the search bar.

Are you suggesting using a HF to filter events before they're ingested?
Thanks.

Re: How to monitor a specific Windows Application EventCode?

gcusello — Fri, 01 Sep 2017 13:28:40 GMT

No, in your indexers you can filter events following the URL I mentioned.
In other words, you have to insert in
props.conf

[WinEventLog:Security]
TRANSFORMS-set-3000=set_nullqueue,set_3000

transforms.conf

#discard
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
#take
[set_3000]
REGEX=EventCode\=3000
DEST_KEY = queue
FORMAT = indexQueue

In this way on sourcetype WinEventLog:Security you take only events with EventCode=3000

Bye.
Giuseppe

Re: How to monitor a specific Windows Application EventCode?

woodcock — Sun, 03 Sep 2017 19:48:06 GMT

You need to deploy these settings to your indexing server (usually your Indexer Tier but it could be your Heavy Forwarder).
You need to restart all Splunk instances there.
You need to verify it by checking ONLY events that have been indexed since the restart ( _index_earliest=-5m@m or similar) because existing events will stay (you can use delete to hide them).

Re: How to monitor a specific Windows Application EventCode?

ericlarsen — Tue, 05 Sep 2017 16:21:05 GMT

The approach Giuseppe suggested is not one I'm exploring. I'm confident this can be done via a whitelist on the UF, not on the Indexers.

Re: How to monitor a specific Windows Application EventCode?

woodcock — Sun, 10 Sep 2017 06:27:00 GMT

My answer is not "an approach"; it is a deployment and testing methodology regardless of what approach you do use. In other words, the problem is probably not in "your approach".