Archive

How to forward an event of a certain source?

dbiguene
New Member

Hello everyone

I work in a citrix service and I need to forward events for splunk enterprise
My forwarder is on a citrix server and my indexer on a other VM, i create an input file (forwarder side) with this line :
[WinEventLog://Application] to collect the events, that works, but i need only the citrix events.
I can see the event with the EventViewer and their is a "source" field (that contains for example "Citrix File Management" , "WMsecurity" etc...)
Is it possible to collect only the events with a certain source value?

Something like :

[WinEventLog://Application]
source = Citrix File Managament

(I tried, it doesn't work)

If not is there another way to do that?

Thanks

0 Karma
1 Solution

FrankVl
Ultra Champion

Have a look at this: http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf#Event_Log_whitelist_and_blacklis...

It mentions "SourceName" as one of the keys by which you can whitelist / blacklist.

So that would then look like this in inputs.conf:

[WinEventLog://Application]
whitelist = SourceName=".*Citrix.*"
disabled = 0 

View solution in original post

0 Karma

dbiguene
New Member

My bad, I did not see that I had to modify input.conf in deployment-app/my-index (indexer side) and not input.conf in forwarder side!
And you're right, I also forgot the quotes in my whitelist line
Thanks a lot!

0 Karma

FrankVl
Ultra Champion

Have a look at this: http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf#Event_Log_whitelist_and_blacklis...

It mentions "SourceName" as one of the keys by which you can whitelist / blacklist.

So that would then look like this in inputs.conf:

[WinEventLog://Application]
whitelist = SourceName=".*Citrix.*"
disabled = 0 

View solution in original post

0 Karma

dbiguene
New Member

I tested your idea and an other way (whitelist), but no matter my input.conf/props.conf/transforms.conf, my forwarder collects all the [winEventLog]:System logs when I never write this line! so i have 500k system logs and 0 app log in my splunk indexer and I know that i have 500k app log with eventviewer , I don't understand 😕

input.conf :

[WinEventLog://Application]
whitelist = ^.*Citrix.*$
disabled = 0 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dbiguene
I don't know Citrix logs, so could you share an example?
Anyway you could identify a regex in Citrix and then filter them before indexing (see http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad ).

e.g. if in your logs you have the string source = Citrix File Managament
you could configure your filter in the following way:
in props.conf

[WinEventLog://Application]
TRANSFORMS-filter_citrix= setnull,set_filter_citrix

in transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[set_filter_citrix]
REGEX = source\s\=\sCitrix\sFile\sManagament
DEST_KEY = queue
FORMAT = indexQueue

Beware to the stanzas order in props.conf, instead order isn't important in transforms.conf.
Bye.
Giuseppe

0 Karma

dbiguene
New Member

ok thanks, i will test that monday

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!