Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

All Windows Event Logs but not others?

hammerthework
Engager
‎10-05-2010 09:01 PM

Problem: a hundred servers with the basic event logs (system, application, security) plus various other custom log containers. I want to get all the log containers but not the security log. All the servers don't have the same set of custom log containers so one conf file defining all the logs specifically isn't easy. Also, custom event logs get added regularly so the conf file will not be static.

Is there a way to create a conf file that will use a wildcard for the event logs and also not a specifc one that i won't have to change often?

thanks

Reply

ftk
Motivator
‎10-14-2010 03:45 AM

I think your best bet at this point is to take a look at your servers and group them into logical groups of servers with the same logs. Then look into setting up a deployment server (which can be housed on your main splunk instance, or any other, doesn't matter) to push out the relevant configs to the logical server groups.

You can have one default config that gets pushed to every server to monitor the standard logs found on all Windows server (Application, System, skipping Security in your case) and then additional configs for the logical groups that have additional log sources in common.

This will entail a bit of planning and a bit of change control process around adding new log sources on your servers, but will end up making your whole installation a lot easier to manage.

Reply

cervelli
Splunk Employee
Splunk Employee
‎10-13-2010 07:59 PM

Not currently Hammer, but that's an interesting enhancement request.

To clarify, is there any pattern to the names or their container? Do you want ansi-style wildcarding (e.g. '*') or regex pattern matching?

0 Karma
Reply

hammerthework
Engager
‎10-14-2010 01:37 PM

No there is no pattern to the names/containers. They are based on the names of the application. Regarding wildcarding or regex, we would need the ability to specifically exclude one or more logs but include the rest. Something like $eventLogList = AllEventLogs | where EventLog <> ("Security" OR "Sytem") as an example.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 10:27 PM

I think what you want to do can be achieved by Routing events to nullQueue
Make sure you create the regexes to match what you do not want and you should be set.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...