https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41569#M7736 <P>I need to monitor only logs with Event code = 5410,6913.<BR /> How can i setup this in forwarder ?<BR /> please suggest some help</P> Wed, 21 Aug 2013 12:53:50 GMT chimbudp 2013-08-21T12:53:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41569#M7736 <P>I need to monitor only logs with Event code = 5410,6913.<BR /> How can i setup this in forwarder ?<BR /> please suggest some help</P> Wed, 21 Aug 2013 12:53:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41569#M7736 chimbudp 2013-08-21T12:53:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41570#M7737 <P>This is what the book says to do...</P> <P>On the forwarder, you need to enable the WinEventLog:Security input.</P> <P>On the indexer you need to create entries in your system/local/props.conf and system/local/transforms.conf</P> <P>props.conf</P> <P>[source::*:Security]</P> <P>TRANSFORMS-set=setnull,setparsing</P> <P>transforms.conf</P> <P>[setnull]</P> <P>REGEX = .</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[setparsing]</P> <P>REGEX =(?m)^EventCode=(5410|6913)</P> <P>DEST_KEY = queue</P> <P>FORMAT = indexQueue</P> Wed, 21 Aug 2013 13:31:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41570#M7737 lukejadamec 2013-08-21T13:31:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41571#M7738 <P>the docs are at </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>/k</P> Wed, 21 Aug 2013 14:10:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41571#M7738 kristian_kolb 2013-08-21T14:10:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41572#M7739 <P>As of Splunk 6, there is a simpler way to filter which Windows events are forwarded by Splunk.</P> <P>See whitelist and blacklist in the "Windows Event Log Monitor" section of the following doc: <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf</A></P> Tue, 11 Mar 2014 03:20:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-only-specific-Windows-eventlogs-via-Splunk/m-p/41572#M7739 sbrant_splunk 2014-03-11T03:20:05Z