Getting Data In

Filtering security log at the universal forwarder.

New Member

Hello,

I am trying to nail exactly what I need for this. There is so many different explanations, that I find I am more confused than when I started looking into it.

I am using a universal forwarder version 6.1.1.207789 on a Windows 2012 server. This is a DC.

Basically I only want to send event codes that are 4624 or 4634. I do not care about anything else at this stage.

I have changed the %splunk_home%\etc\system\local inputs.conf file to look like below:

[default]

host = YYY

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEvent.log://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634

When I restarted the forwarder if just sent everything as normal. By normal I mean we chose security log tick box when we installed the Universal Forwarder in the first place.

By the way in the preview, it has removed the underscores from current only and evt resolve ad obj

This is the first time I have tried this. Any help much appreciated.

0 Karma

Splunk Employee
Splunk Employee

Found it, there is a typo in the input name. So the default from another app must be applied instead.

[WinEvent.log://Security]
should be
[WinEventLog://Security]

To verify the result, run a btool
splunk cmd btool inputs list --debug

0 Karma

Splunk Employee
Splunk Employee

you can accept the answer, it will mark the question as resolved for other users.

0 Karma

New Member

Thanks yannk, that was it. the full stop and the non capital on the L of log. All working well with the universalforwarder, and my license limit is safe again.

0 Karma

Path Finder

To follow on aweitzman's suggestion to throw out the events you don't want, the following in an example of sending select event log items to the null queue with props.conf and transforms.conf(you will need to adjust your regex to the events you want to keep/drop):

http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

Motivator

You need to use a heavy forwarder if you want to filter the information before sending it. The universal forwarder only adds some metadata and forwards - it can't be used to do any filtering at the source:

http://docs.splunk.com/Splexicon:Universalforwarder

Alternatively, you can configure the indexer to throw out the data you don't want from this source.

New Member

Thanks yannk for keeping me on the universalforwarder. I have whitelisted event codes from the security log I wanted to keep and it is working fine.

0 Karma

Splunk Employee
Splunk Employee

The nullQueue filtering (at the indexer/heavy forwarder level) was the old way.
Since splunk 6.* you can use the whitelist/blacklist for EventCode at the input level on any forwarders.

I am surprised that the config above didn't work.

0 Karma