Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering security log at the universal forwarder.

rush2112
New Member
‎06-10-2014 08:42 AM

Hello,

I am trying to nail exactly what I need for this. There is so many different explanations, that I find I am more confused than when I started looking into it.

I am using a universal forwarder version 6.1.1.207789 on a Windows 2012 server. This is a DC.

Basically I only want to send event codes that are 4624 or 4634. I do not care about anything else at this stage.

I have changed the %splunk_home%\etc\system\local inputs.conf file to look like below:

[default]

host = YYY

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEvent.log://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634

When I restarted the forwarder if just sent everything as normal. By normal I mean we chose security log tick box when we installed the Universal Forwarder in the first place.

By the way in the preview, it has removed the underscores from current only and evt resolve ad obj

This is the first time I have tried this. Any help much appreciated.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-10-2014 11:56 AM

Found it, there is a typo in the input name. So the default from another app must be applied instead.

[WinEvent.log://Security]
should be
[WinEventLog://Security]

To verify the result, run a btool
splunk cmd btool inputs list --debug

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-11-2014 10:36 AM

you can accept the answer, it will mark the question as resolved for other users.

0 Karma
Reply

rush2112
New Member
‎06-11-2014 06:27 AM

Thanks yannk, that was it. the full stop and the non capital on the L of log. All working well with the universalforwarder, and my license limit is safe again.

0 Karma
Reply

alterdego
Path Finder
‎06-10-2014 11:38 AM

To follow on aweitzman's suggestion to throw out the events you don't want, the following in an example of sending select event log items to the null queue with props.conf and transforms.conf(you will need to adjust your regex to the events you want to keep/drop):

http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

Reply

aweitzman
Motivator
‎06-10-2014 10:41 AM

You need to use a heavy forwarder if you want to filter the information before sending it. The universal forwarder only adds some metadata and forwards - it can't be used to do any filtering at the source:

http://docs.splunk.com/Splexicon:Universalforwarder

Alternatively, you can configure the indexer to throw out the data you don't want from this source.

Reply

rush2112
New Member
‎06-11-2014 06:26 AM

Thanks yannk for keeping me on the universalforwarder. I have whitelisted event codes from the security log I wanted to keep and it is working fine.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-10-2014 11:53 AM

The nullQueue filtering (at the indexer/heavy forwarder level) was the old way.
Since splunk 6.* you can use the whitelist/blacklist for EventCode at the input level on any forwarders.

I am surprised that the config above didn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...