Getting Data In

All Windows Event Logs but not others?

hammerthework
Engager

Problem: a hundred servers with the basic event logs (system, application, security) plus various other custom log containers. I want to get all the log containers but not the security log. All the servers don't have the same set of custom log containers so one conf file defining all the logs specifically isn't easy. Also, custom event logs get added regularly so the conf file will not be static.

Is there a way to create a conf file that will use a wildcard for the event logs and also not a specifc one that i won't have to change often?

thanks

ftk
Motivator

I think your best bet at this point is to take a look at your servers and group them into logical groups of servers with the same logs. Then look into setting up a deployment server (which can be housed on your main splunk instance, or any other, doesn't matter) to push out the relevant configs to the logical server groups.

You can have one default config that gets pushed to every server to monitor the standard logs found on all Windows server (Application, System, skipping Security in your case) and then additional configs for the logical groups that have additional log sources in common.

This will entail a bit of planning and a bit of change control process around adding new log sources on your servers, but will end up making your whole installation a lot easier to manage.

cervelli
Splunk Employee
Splunk Employee

Not currently Hammer, but that's an interesting enhancement request.

To clarify, is there any pattern to the names or their container? Do you want ansi-style wildcarding (e.g. '*') or regex pattern matching?

0 Karma

hammerthework
Engager

No there is no pattern to the names/containers. They are based on the names of the application. Regarding wildcarding or regex, we would need the ability to specifically exclude one or more logs but include the rest. Something like $eventLogList = AllEventLogs | where EventLog <> ("Security" OR "Sytem") as an example.

0 Karma

Genti
Splunk Employee
Splunk Employee

I think what you want to do can be achieved by Routing events to nullQueue
Make sure you create the regexes to match what you do not want and you should be set.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.