Hi,
My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.
My existing configuration is:
props.conf
[wmi]
TRANSFORMS-null = setnullevents, setparsing
transforms.conf
[setnullevents]
REGEX = (?m)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
Any idea what I've missed?
don't know why but after I meddle around with the naming..it seems to work after that..
props.conf
[wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing
[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
don't know why but after I meddle around with the naming..it seems to work after that..
props.conf
[wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing
[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?
If it's from local ones, you should use a stanza of
[WinEventLog:Security]
Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec
[source::WMI:WinEventLog:Security]
Also, I'd change the transform names to
allwminull
and
successwminull
or similar.
As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.
There are 3 machines, hostA,hostB(both windows) & splunk indexer(linux).
I have splunk installed on hostB and have configured with the above scripts to pull event logs from hostA, and then forward them to Splunk indexer.