Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Having some trouble with an infinite forwarding loop - Windows Event Logs

janderson19
Path Finder
‎07-22-2016 10:11 AM

Hello

I'm having a problem with Windows Event logs coming into Splunk.

Windows Events log every time that the Forwarder connects to the Indexer, generating about 25GB of data per day. I had this fixed, but at some point yesterday the indexer stopped sending data containing the indexer's IP address to nullQueue. I don't know why this stopped filtering data, because nobody logged into the server yesterday, and the props.conf and transforms.conf look the same.

Here is the props.conf

 [host::$ComputerName.*]
 TRANSFORMS-null = setnull2,setparsing2

and the transforms: 

 [setparsing2]
 REGEX = .
 DEST_KEY = queue
 FORMAT = indexQueue

 [setnull2]
 REGEX = .*(9997).*
 DEST_KEY = queue
 FORMAT = nullQueue

Here is an example of 99.98% of the data coming in:

07/22/2016 12:43:04 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=$ComputerName
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=18494355
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 3860
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe

Network Information:
Direction: Outbound
Source Address: $srcIP
Source Port: $Port
Destination Address: $dstIP
Destination Port: 9997
Protocol: 6

Filter Information:
Filter Run-Time ID: 77106
Layer Name: Connect
Layer Run-Time ID: 48

This configuration worked just fine for 2 or 3 months, but stopped working yesterday.

Reply
1 Solution
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎07-22-2016 11:19 AM

If your forwarders are version 6 or above, you can use the Windows event filtering, which would prevent sending the data to the indexers in the first place. More info:

http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

I feel like this would be a more effective way of accomplishing the same goal, if you are trying to filter based on the event code.

Edit: This can also be used to filter based on information within the Windows event.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-22-2016 11:22 AM

If (and that is a BIG IF because you have not told us how/what you are trying to filter, leaving us no choice but to guess) you are trying to throw away any event that contains the number 9997 anywhere in it, then you can make this change and it will work;

props.conf:

 TRANSFORMS-null = setnull2

Be aware that your RegEx is probably sub-optimal and this would probably be better:

(:?[^0-9]|^)9997(?:[^0-9]|$)

I think probably you actually should be using this instead (but who can really know?):

Destination\s+Port:\s*9997(?:[^0-9]|$)
0 Karma
Reply
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎07-22-2016 11:19 AM

If your forwarders are version 6 or above, you can use the Windows event filtering, which would prevent sending the data to the indexers in the first place. More info:

http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

I feel like this would be a more effective way of accomplishing the same goal, if you are trying to filter based on the event code.

Edit: This can also be used to filter based on information within the Windows event.

Reply
Solved! Jump to solution

janderson19
Path Finder
‎07-22-2016 11:24 AM

I have looked into this previously, but I am trying to filter by either destination port or destination Address. In the configuration in the OP, I'm filtering by source port.

0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-22-2016 11:27 AM

Have you tried something like:

[WinEventLog://Security]
blacklist1 = Destination\s+Port:\s+9997
Reply
Solved! Jump to solution

janderson19
Path Finder
‎07-22-2016 11:43 AM

This worked great, thanks!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...