Getting Data In

How do I configure Splunk to index Windows Event Log data in separate indexes?

Ledio_Ago
Splunk Employee
Splunk Employee

I able to retrieve Windows event logs from remote machines using WMI, and I'm also indexing local Windows event logs. I like to organize the events coming from the local system and from remote systems based on Windows event log channels, eg: Application, System, ... How do I do that?

1 Solution

Ledio_Ago
Splunk Employee
Splunk Employee

Before you make any of the changes below, the indexes where you want these events to go to need to already exit. For example let's assume we have created the "WinEvtApp" index for Windows event log Application channel events, and "WinEvtSec" index for the Security channel events.

For local Windows event logs it’s easy, just edit the inputs.conf file:

\local\inputs.conf

[WinEventLog:Application]
index=WinEvtApp

[WinEventLog:Security]
index=WinEvtSec

...

For windows event logs coming from remote machines using WMI it's a little more complicated. The wmi.conf file is a configuration file specific to the wmi scripted input, and it has nothing to do with configuring splunk server. You’ll need to create a transform to filter out Windows event log WMI events based on the Logfile field value. This is an example for sending Security logs to to the WinEvtSec custom index. You'll need to create a separate transform for every log channel, Application, System, ... The FORMAT key holds the custom index name.

system\local\transforms.conf

[wmi-sec-evt-index]
REGEX = (?m)Logfile=Security
DEST_KEY =_MetaData:Index
FORMAT = WinEvtSec

Reference this transform in props.conf under the "wmi" stanza

system\local\props.conf

[wmi]
TRANSFORMS-FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-sourcetype, wmi-sec-evt-index

Noticed how the wmi-sec-evt-index is appended to the rest of the transforms for the wmi source. We have to make sure that the default transforms are preserved for the wmi events.

View solution in original post

Ledio_Ago
Splunk Employee
Splunk Employee

Before you make any of the changes below, the indexes where you want these events to go to need to already exit. For example let's assume we have created the "WinEvtApp" index for Windows event log Application channel events, and "WinEvtSec" index for the Security channel events.

For local Windows event logs it’s easy, just edit the inputs.conf file:

\local\inputs.conf

[WinEventLog:Application]
index=WinEvtApp

[WinEventLog:Security]
index=WinEvtSec

...

For windows event logs coming from remote machines using WMI it's a little more complicated. The wmi.conf file is a configuration file specific to the wmi scripted input, and it has nothing to do with configuring splunk server. You’ll need to create a transform to filter out Windows event log WMI events based on the Logfile field value. This is an example for sending Security logs to to the WinEvtSec custom index. You'll need to create a separate transform for every log channel, Application, System, ... The FORMAT key holds the custom index name.

system\local\transforms.conf

[wmi-sec-evt-index]
REGEX = (?m)Logfile=Security
DEST_KEY =_MetaData:Index
FORMAT = WinEvtSec

Reference this transform in props.conf under the "wmi" stanza

system\local\props.conf

[wmi]
TRANSFORMS-FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-sourcetype, wmi-sec-evt-index

Noticed how the wmi-sec-evt-index is appended to the rest of the transforms for the wmi source. We have to make sure that the default transforms are preserved for the wmi events.

CONSORP
Loves-to-Learn Lots

How do we write a REGEX if we need to give 2 different fieldnames and its values, and from above
"REGEX = (?m)Logfile=Security"
what is (?m) for and what does it do?
Correct me if i'm wrong other than ?(m) in REGEX.

transforms.conf
[wmi-host]
SOURCE_KEY=<fieldname1>,<fieldname2>
REGEX=?(m)<fieldname>=<fieldvalue>
DEST_KEY =_MetaData:Index
FORMAT = <new_indexname>

props.conf    
[sourcetype]
TRANSFORMS-FIELDS = wmi-host, wmi-source, wmi-sourcetype
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Note that you don't have to append to the existing. In fact, it will be easier to just define a new transform from scratch, with TRANSFORMS-something = wmi-sec-evt-index, with -something set to anything other than -FIELDS.

CONSORP
Loves-to-Learn Lots

How do we write a REGEX if we need to give 2 different fieldnames and its values, and from above "REGEX = (?m)Logfile=Security"
what is (?m) ?
Correct me if i'm wrong.
'Logfile' is fieldname and 'Security' is fieldvalue

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...