Archive

splunk 4.1.x .conf files no longer working with splunk 4.2

Explorer

Hi,

I've been using for 1 year or so a configuration for my splunk forwarders as it is in this link:
http://www.megafileupload.com/en/file/315637/local-rar.html

I store everything in /etc/system/local/*
The files above are merged with files those that splunk creates when it installs itself.

lately (i think starting with some 4.1.x version of splunk, on windows 2008 R2 domain controllers i no longer get the results I want:

  1. I want splunk to filter out all success audit events from the security logs and only send over failed audits. This however is not working, i get the entire output of the security logs which in turn is making us go over our quota for indexed data.

Could anyone take a look at the configuration files and tell me what should be changed in order to get splunk to filter out failed audits?

The config files are also supposed to filter out some audit success events, that is also not working, but that is secondary concern, first I'd like him to just make this simple failed audit/sucess audit filter that has been working fine for over 1 year.

thanks,
ionut

Explorer

Anyone, any thoughts on this?

thanks,
ionut

0 Karma

Explorer

hi,

To clear up a few things:
NO WMI filtering is done, i'm using the inputs file to explicitly disable it.

I've updated the files we use:
http://www.megafileupload.com/en/file/315727/local2-rar.html

This is how we want to use splunk
http://imageshack.us/photo/my-images/848/splunklogicaldiagram.jpg/

  1. We want to send all failure audit to one Splunk indexer
  2. We want to send some failure success events from the security Log to another splunk indexer server.
  3. We want to drop all other success audit events.

thank,
ionut

0 Karma

Splunk Employee
Splunk Employee

So, I don't see your transforms.conf file in the rar you linked to, however, there were some bad things about trying to route data to nullQueue under Splunk 4.1.x and 4.2 that were specific to WMI, which is how it looks like this data is being pulled into Splunk. These defects have been fixed under 4.2.1, so you might want to try updating to see if that helps.

0 Karma