topic Re: Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents) in Getting Data In

Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

b_chris21 — Mon, 26 Jul 2021 11:30:57 GMT

Hello everyone,

I am collecting Windows Event Logs and Sysmon Logs from my Windows Domain to my WEF. From WEF using a UF I am forwarding everything to my Splunk Indexer.

My question is:

How can I split my data collected to [WinEventLog://ForwardedEvents] to two different indexes (wineventlog, sysmon)? I don't want Sysmon to get into wineventlog index.

Shall I use props.conf and transform.conf modification to achieve that? If yes, can you please guide me on how this shall be formatted?

The next step would be to properly configure inputs.conf on Splunk_TA_Windows and TA-microsoft-sysmon so that I don't have to index unneeded stuff that will cause performance issues.

For example on TA-microsoft-sysmon's inputs.conf I will have to put:

[WinEventLog://ForwardedEvents]
disabled = 0
index = sysmon
start_from = oldest
currently_only = 0
checkpointInterval = 5
renderXml = true

but this will also index wineventlogs which are not needed in this index. Is that correct?

Thanks

Chris

Re: Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

venkatasri — Tue, 27 Jul 2021 04:34:40 GMT

Hi @b_chris21

sysmon having different conf settings using sysmon add-on, ForwardedEvents is part of Windows Add-on. you can find sysmon settings here - Solved: Re: Connectivity issues - Splunk Community

So if your ForwardedEvents Eventlogs alone you can direct them to index - wineventlog and sysmon add-on above said input to sysmon index.

An upvote would be appreciated if this reply helps!

Re: Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

b_chris21 — Tue, 27 Jul 2021 07:07:10 GMT

Hi @venkatasri,

thanks for your reply. I am aware of what you have described. The only difference is that on my WEF I have created a single subscription that drops all windows event logs and sysmon into Forwarded Events. (I know I could create collections per log instead).

So since all logs know drop into the same bucket (ForwardedEvents), I just want to split them into 2 different indexes as follows:

- windows event logs ---> index=wineventlog
- sysmon ----> index=sysmon

I have tried to add the following stanza on inputs.conf

[WinEventLog://ForwardedEvents] disabled = 0 index = sysmon start_from = oldest currently_only = 0 checkpointInterval = 5 renderXml = true

but it didn't work. Instead, all sysmon logs kept being ingested in wineventlog index along all the other logs.

Hope it's more clear know.

Kind regards,

Chris

Re: Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

venkatasri — Tue, 27 Jul 2021 08:39:21 GMT

Hi @b_chris21

I wonder inputs conf has been pointed to sysmon index and how these logs going to wineventlog.

Can you btool and find out is there other conf taking precedence on UF. If you have specific individual pattern for sysmon and winevent logs coming from ForwardedEvent collection then the approach I could think of is use props/transforms on HF/indexer layer to redirect them to respective index based on REGEX.

Re: Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

b_chris21 — Mon, 02 Aug 2021 07:05:34 GMT

Hi @venkatasri,

specifically both Windows Events and Sysmon are set to go to ForwardedEvents collection and not into separate ones.

Therefore both are indexed by default into wineventlog index via inputs.conf. I believe there is no way to split data from a single source to two different indexes, right?

How can this be done with a REGEX and editing the props.conf and transforms.conf? Can this be done on an indexer as I do not have an HF.

Thanks