Getting Data In

Filtering windows events not working after switching to WMI pull

remy06
Contributor

Hi,

My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.

My existing configuration is:
props.conf

[wmi]  
TRANSFORMS-null = setnullevents, setparsing

transforms.conf

[setnullevents]  
REGEX = (?m)^EventCode=(538|540|672|673|861)\b  
DEST_KEY = queue  
FORMAT = nullQueue 

[setparsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

Any idea what I've missed?

Tags (2)
0 Karma
1 Solution

remy06
Contributor

don't know why but after I meddle around with the naming..it seems to work after that..

props.conf [wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue

[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma

remy06
Contributor

don't know why but after I meddle around with the naming..it seems to work after that..

props.conf [wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue

[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

dart
Splunk Employee
Splunk Employee

Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?

If it's from local ones, you should use a stanza of

[WinEventLog:Security]

Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec

[source::WMI:WinEventLog:Security]

Also, I'd change the transform names to allwminull and successwminull or similar. As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.

0 Karma

remy06
Contributor

There are 3 machines, hostA,hostB(both windows) & splunk indexer(linux).

I have splunk installed on hostB and have configured with the above scripts to pull event logs from hostA, and then forward them to Splunk indexer.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...