Getting Data In

Filtering windows events not working after switching to WMI pull

Contributor

Hi,

My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.

My existing configuration is:
props.conf

[wmi]  
TRANSFORMS-null = setnullevents, setparsing

transforms.conf

[setnullevents]  
REGEX = (?m)^EventCode=(538|540|672|673|861)\b  
DEST_KEY = queue  
FORMAT = nullQueue 

[setparsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

Any idea what I've missed?

Tags (2)
0 Karma
1 Solution

Contributor

don't know why but after I meddle around with the naming..it seems to work after that..

props.conf [wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue

[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma

Contributor

don't know why but after I meddle around with the naming..it seems to work after that..

props.conf [wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue

[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?

If it's from local ones, you should use a stanza of

[WinEventLog:Security]

Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec

[source::WMI:WinEventLog:Security]

Also, I'd change the transform names to allwminull and successwminull or similar. As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.

0 Karma

Contributor

There are 3 machines, hostA,hostB(both windows) & splunk indexer(linux).

I have splunk installed on hostB and have configured with the above scripts to pull event logs from hostA, and then forward them to Splunk indexer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!