Getting Data In

How do I configure Splunk Universal Forwarder with an Splunk Deployment Server to send only specific Windows Logs?

Explorer

Hi,

i am new to splunk. I was already succesfull at intalling it and forwarding data (win Event logs) to it. Now i'm trying to restrict the forwarded data from Windows 2008 and Windows 2012 to only warnings and erros. To do this i'm using the splunk deployment Server and an deoployment app that contains only the Input.conf.

Now to the Specs.
Splunk Server Instance 6.2.3 running a Windows Server 2012R2 OS, it acts as indexer and deployment Server.
The data comes from Splunk Universal Forwarder 6.2.3 installed on Windows Server 2012 and 2008.

The Input.conf I'm deploying in the app is like this:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled=0
blacklist= Type="Information"
index = main

[WinEventLog://Security]
disabled=0
blacklist= Keywords="Audit Success" Type="Information"
index = main

[WinEventLog://System]
disabled=0
blacklist= Type="Information"
index = main

[WinEventLog://Setup]
disabled = 0
blacklist= Type="Information"
index = main

I created an app in with this structure on the deployment server

C:\Program Files\Splunk\etc\deployment-apps\<app_name>\ _
C:\Program Files\Splunk\etc\deployment-apps\<app_name>\Default _
C:\Program Files\Splunk\etc\deployment-apps\<app_name>\Default\Input.conf _
C:\Program Files\Splunk\etc\deployment-apps\<app_name>\Local _
C:\Program Files\Splunk\etc\deployment-apps\<app_name>\Local\app.conf --> leere Datei

I have successfully deployed this app to the forwarder and i know that somthing is changed by this because after the deployment i dont receive any logs even thought on Servers are log generated there the blacklisting does not apply.
I created the deployment Setup based on this site http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitorwindowsdata/+"Monitoring+Windows+Logs and this site http://docs.splunk.com/Documentation/Splunk/latest/Updating/Extendedexampledeployseveralstandardforw...
When i remove the blacklisting from the conf it works and i havent found a solution on this site yet.
Therefore the question.

Thanks in advance for the help
Ludwig_MDC

0 Karma

Explorer

Problem is solved.

i dont know why it didn't work before but who cares.

all i changed was blacklist= Keywords="Audit Success" Type="Information" to
blacklist= Type="Information" Keywords="Audit Success" maybe that was it but i also tried that yesterday and it didn't work.

0 Karma

SplunkTrust
SplunkTrust

According to the docs at http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata, "Type" is a numeric value, not text, and I'm not sure it does the right thing with text. So, as per the blurb below's MS link, try

blacklist= Type=3

Copied here for reference:
A numeric value that represents one of the the five types of events that can be logged ("Error", "Warning", "Information", "Success Audit", and "Failure Audit".) Only available on server machines that run Windows Server 2008 or later, or clients that run Windows Vista or later. See "Win32_NTLogEvent class (Windows)" (http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx) on MSDN.

0 Karma

Explorer

i already tried that and it diddn't work. When you Clink on the link to the Microsoft site you will see that Type is a String value and therefore probably text.
By the way the blacklist works with Type="Information", i honestly dont know why it didn't work yesterday.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!