Re: Filtering security log at the universal forwar...

rush2112 · ‎06-10-2014

Hello,

I am trying to nail exactly what I need for this. There is so many different explanations, that I find I am more confused than when I started looking into it.

I am using a universal forwarder version 6.1.1.207789 on a Windows 2012 server. This is a DC.

Basically I only want to send event codes that are 4624 or 4634. I do not care about anything else at this stage.

I have changed the %splunk_home%\etc\system\local inputs.conf file to look like below:

[default]

host = YYY

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEvent.log://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634

When I restarted the forwarder if just sent everything as normal. By normal I mean we chose security log tick box when we installed the Universal Forwarder in the first place.

By the way in the preview, it has removed the underscores from current only and evt resolve ad obj

This is the first time I have tried this. Any help much appreciated.

yannK · ‎06-10-2014

Found it, there is a typo in the input name. So the default from another app must be applied instead.

[WinEvent.log://Security]
should be
[WinEventLog://Security]

To verify the result, run a btool
splunk cmd btool inputs list --debug

yannK · ‎06-11-2014

you can accept the answer, it will mark the question as resolved for other users.

rush2112 · ‎06-11-2014

Thanks yannk, that was it. the full stop and the non capital on the L of log. All working well with the universalforwarder, and my license limit is safe again.

alterdego · ‎06-10-2014

To follow on aweitzman's suggestion to throw out the events you don't want, the following in an example of sending select event log items to the null queue with props.conf and transforms.conf(you will need to adjust your regex to the events you want to keep/drop):

http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

aweitzman · ‎06-10-2014

You need to use a heavy forwarder if you want to filter the information before sending it. The universal forwarder only adds some metadata and forwards - it can't be used to do any filtering at the source:

http://docs.splunk.com/Splexicon:Universalforwarder

Alternatively, you can configure the indexer to throw out the data you don't want from this source.

rush2112 · ‎06-11-2014

Thanks yannk for keeping me on the universalforwarder. I have whitelisted event codes from the security log I wanted to keep and it is working fine.

yannK · ‎06-10-2014

The nullQueue filtering (at the indexer/heavy forwarder level) was the old way.
Since splunk 6.* you can use the whitelist/blacklist for EventCode at the input level on any forwarders.

I am surprised that the config above didn't work.

Filtering security log at the universal forwarder.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation