The searches in security splunk essentials point to a default source of wineventlog:security, can we change to point to a different source or index?
Yes (ish)! Assuming you're running Version 2.0.0 (released yesterday), you can turn on Advanced SPL mode (click the "Show SPL" link to access) to manually change the criteria for any given search you're looking at. Every search should be using index=*, so you shouldn't need to worry about the index itself. (If there are any exceptions, I'll get them fixed in the next bug release.)
If you want to change it on a global level (e.g., "we always use sourcetype=abc for our Windows Security Logs") then I actually do have some thoughts of maybe being able to support that in the future, but it's probably still a ways out -- first I've got to get through the things I wasn't able to fit into my 2.0.0 release timeline. There is a workaround though: you can edit the json files in /components/data/sampleSearches/*.json to specify your alternate sourcetype.. it will be overwritten at the next upgrade, but it's a workaround for now.
I would be curious to know the specifics of what sourcetypes you have for Windows Security logs that are not wineventlog:security. If it's xmlwineventlog:security -- that one I'm definitely going to fix in the relatively near future. If it's something else entirely, I'd love to hear what you're doing. (I can email you directly as well, if you'd prefer.)
Hey David. First of all, thanks for the App. It's very useful. I tried v2.2.0 of the app but realized that we need to edit the json files. For instance, the firewall logs by default is for Palo Alto while we are using a mixture of Cisco and Fortinet. If you next release can incorporate a set up or settings interface, it woud be perfect!
Awesome, we just installed 2.0 today. We will edit the json as suggested above. We have a subscription pushed out through GPO to all of our windows systems that send their data to 2 windows event collectors, from there we are utilizing splunk universal forwarder and all events are coming in with source="WinEventLog:ForwardedEvents".