I am not able to only forward certain interesting Windows events and ignore the rest. Running 4.2.x on both forwarder and indexer/receiver.
It ignores my restrictions and sends all Windows logs, as if props/transforms in local\ does not get acknowledged..
props:
[source::WinEventLog...]
TRANSFORMS-wmi = events-filter, events-null
[source::WinEventLog...]
TRANSFORMS-wmi = events-filter, events-null
transforms:
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[events-filter]
REGEX=(?msi)^EventCode=(4625|4624|7036|1102|1033)
DEST_KEY = queue
FORMAT = indexQueue
Tried both [source::WinEventLog...]
and [WMI:WinEventLog...]
, doesnt make a difference.
Driving me crazy, please assist.
Working now.
props.conf:
[WinEventLog:Security]
TRANSFORMS-security= events-null, events-null3, events-filter
[WinEventLog:System]
TRANSFORMS-system= events-null, events-filter
[WinEventLog:Application]
TRANSFORMS-application= events-null, events-filter
transforms.conf:
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[events-null3]
REGEX=Logon Type=\s*(3)\D
DEST_KEY = queue
FORMAT = nullQueue
[events-filter]
REGEX=(?msi)^EventCode=(5157|4625|4624|7036|1102|1033)\D
DEST_KEY = queue
FORMAT = indexQueue
Key issues:
On the latest Splunk versions 6.0+ you will want to have the Splunk_TA_Windows installed on the Forwarder and Indexer/Search Head tiers. This TA will extract the Event Code fields for you from Windows Event Logs.
Don't forget to also turn on auditing and domain policies for the specific events you want to collect.
Check out the Splunk Blog post about Windows Event Filtering
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
I'm having a similar issue. How does splunk classify these logs as WinEvenLog? My previous, working, installation had
props.conf
[default]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)\D
DEST_KEY=queue
FORMAT=nullQueue
Working now.
props.conf:
[WinEventLog:Security]
TRANSFORMS-security= events-null, events-null3, events-filter
[WinEventLog:System]
TRANSFORMS-system= events-null, events-filter
[WinEventLog:Application]
TRANSFORMS-application= events-null, events-filter
transforms.conf:
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[events-null3]
REGEX=Logon Type=\s*(3)\D
DEST_KEY = queue
FORMAT = nullQueue
[events-filter]
REGEX=(?msi)^EventCode=(5157|4625|4624|7036|1102|1033)\D
DEST_KEY = queue
FORMAT = indexQueue
Key issues:
It worked perfect when I set those values on HeavyForwarder configurations.
BTW, the logon type 3 null filter filters out automated logins, something that clogs up logs and I did not care about. The event IDs are for successful logins/failed logins, application installs and service restarts. I am using one filter for all three facilities, working fine.
In your props.conf, use [WinEventLog:Security]
, skipping the source:: part, as you actually want to use a sourcetype definition. You should be able to use [WinEventLog:*]
to apply this to all windows event logs, but I haven't tried doing this before, so I am 100% not sure.
BTW, WinEventLog:* did not work. Splunk expects the Security/Application/System facility keywords there.
I don't think you want to use the ... wildcard for Windows events logs sources. I'm not a Windows expert, but I suggest that you try
[source::WinEventLog*]
Have you tried selecting by sourcetype instead of source?
I'm having a similar issue. How does splunk classify these logs as WinEvenLog? My previous, working, installation had
props.conf
[default]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)D DEST_KEY=queue FORMAT=nullQueue
Have to admit that I am slightly confused about the WMI VS source VS sourcetype, especially the Windows/Splunk changes since 4.2 etc. Is anyone else forwarding Windows logs and filtering on 4.2.x Splunk?