Hello everyone
I work in a citrix service and I need to forward events for splunk enterprise
My forwarder is on a citrix server and my indexer on a other VM, i create an input file (forwarder side) with this line :
[WinEventLog://Application] to collect the events, that works, but i need only the citrix events.
I can see the event with the EventViewer and their is a "source" field (that contains for example "Citrix File Management" , "WMsecurity" etc...)
Is it possible to collect only the events with a certain source value?
Something like :
[WinEventLog://Application]
source = Citrix File Managament
(I tried, it doesn't work)
If not is there another way to do that?
Thanks
Have a look at this: http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf#Event_Log_whitelist_and_blacklis...
It mentions "SourceName" as one of the keys by which you can whitelist / blacklist.
So that would then look like this in inputs.conf:
[WinEventLog://Application]
whitelist = SourceName=".*Citrix.*"
disabled = 0
My bad, I did not see that I had to modify input.conf in deployment-app/my-index (indexer side) and not input.conf in forwarder side!
And you're right, I also forgot the quotes in my whitelist line
Thanks a lot!
Have a look at this: http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf#Event_Log_whitelist_and_blacklis...
It mentions "SourceName" as one of the keys by which you can whitelist / blacklist.
So that would then look like this in inputs.conf:
[WinEventLog://Application]
whitelist = SourceName=".*Citrix.*"
disabled = 0
I tested your idea and an other way (whitelist), but no matter my input.conf/props.conf/transforms.conf, my forwarder collects all the [winEventLog]:System logs when I never write this line! so i have 500k system logs and 0 app log in my splunk indexer and I know that i have 500k app log with eventviewer , I don't understand 😕
input.conf :
[WinEventLog://Application]
whitelist = ^.*Citrix.*$
disabled = 0
Hi dbiguene
I don't know Citrix logs, so could you share an example?
Anyway you could identify a regex in Citrix and then filter them before indexing (see http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad ).
e.g. if in your logs you have the string source = Citrix File Managament
you could configure your filter in the following way:
in props.conf
[WinEventLog://Application]
TRANSFORMS-filter_citrix= setnull,set_filter_citrix
in transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[set_filter_citrix]
REGEX = source\s\=\sCitrix\sFile\sManagament
DEST_KEY = queue
FORMAT = indexQueue
Beware to the stanzas order in props.conf, instead order isn't important in transforms.conf.
Bye.
Giuseppe
ok thanks, i will test that monday