Getting Data In

Filtering security log at the universal forwarder.

rush2112
New Member

Hello,

I am trying to nail exactly what I need for this. There is so many different explanations, that I find I am more confused than when I started looking into it.

I am using a universal forwarder version 6.1.1.207789 on a Windows 2012 server. This is a DC.

Basically I only want to send event codes that are 4624 or 4634. I do not care about anything else at this stage.

I have changed the %splunk_home%\etc\system\local inputs.conf file to look like below:

[default]

host = YYY

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEvent.log://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634

When I restarted the forwarder if just sent everything as normal. By normal I mean we chose security log tick box when we installed the Universal Forwarder in the first place.

By the way in the preview, it has removed the underscores from current only and evt resolve ad obj

This is the first time I have tried this. Any help much appreciated.

0 Karma

yannK
Splunk Employee
Splunk Employee

Found it, there is a typo in the input name. So the default from another app must be applied instead.

[WinEvent.log://Security]
should be
[WinEventLog://Security]

To verify the result, run a btool
splunk cmd btool inputs list --debug

0 Karma

yannK
Splunk Employee
Splunk Employee

you can accept the answer, it will mark the question as resolved for other users.

0 Karma

rush2112
New Member

Thanks yannk, that was it. the full stop and the non capital on the L of log. All working well with the universalforwarder, and my license limit is safe again.

0 Karma

alterdego
Path Finder

To follow on aweitzman's suggestion to throw out the events you don't want, the following in an example of sending select event log items to the null queue with props.conf and transforms.conf(you will need to adjust your regex to the events you want to keep/drop):

http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

aweitzman
Motivator

You need to use a heavy forwarder if you want to filter the information before sending it. The universal forwarder only adds some metadata and forwards - it can't be used to do any filtering at the source:

http://docs.splunk.com/Splexicon:Universalforwarder

Alternatively, you can configure the indexer to throw out the data you don't want from this source.

rush2112
New Member

Thanks yannk for keeping me on the universalforwarder. I have whitelisted event codes from the security log I wanted to keep and it is working fine.

0 Karma

yannK
Splunk Employee
Splunk Employee

The nullQueue filtering (at the indexer/heavy forwarder level) was the old way.
Since splunk 6.* you can use the whitelist/blacklist for EventCode at the input level on any forwarders.

I am surprised that the config above didn't work.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>