Hi All,
I'm a newbie to the Splunk world and trying to figure out a couple things. I currently have Splunk Light installed and used the "Remote Event Log Collection" option to collect logs from my system. My question is: Can I create filters to only capture certain events from the security logs? Or do I need to configure the universal forwarder to collect the logs from my systems then configure filters prior to data getting indexed? Thanks, any info you can provide would be great.
You should let the universal forwarder collect the entire log and then filter on the indexer.
Exception: for Windows event logs, you can blacklist or whitelist event codes on the universal forwarder. To do this, you will need to add filters to the inputs.conf on the universal forwarder, as described in Monitor Windows event log data: Create advanced filters with 'whitelist' and 'blacklist'
You should let the universal forwarder collect the entire log and then filter on the indexer.
Exception: for Windows event logs, you can blacklist or whitelist event codes on the universal forwarder. To do this, you will need to add filters to the inputs.conf on the universal forwarder, as described in Monitor Windows event log data: Create advanced filters with 'whitelist' and 'blacklist'
Thanks for the response. Last question, does the universal forwarder need to be configured on a separate system from the Splunk Light server?
Yes, the Universal Forwarder sits on the remote machine which is generating data.. The Forwarder will send this data to the indexer (Where Splunk is installed)