Getting Data In

How do I edit my configurations on the universal forwarder to split Windows event logs and SQL logs to different indexes?

ryandg
Communicator

Hello,

Our Windows servers have the universal forwarder installed and it is working just fine. However, we also have Windows Servers with SQL installed and we are trying to monitor the SQL Audit. We have configured the SQL Audit to send to Windows Event Logs' Application Log and we are now getting both SQL Audit and WinEvent in the same index. However, I want to split it so that SQL logs can be on a separate index than Windows logs.

Currently this is what I have setup on the UF:
inputs.conf

[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 33205
index = mssql
renderXml=false
sourcetype = mssql:winevent
source = mssql:audit

[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
blacklist1 = 33205
index = windows
renderXml=false


[WinEventLog://Security]
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = windows
renderXml=false

[WinEventLog://System]
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false

###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
index = windows

outputs.conf

[tcpout]
defaultGroup = all_heavy_forwarders

[tcpout:all_heavy_forwarders]
server = <<IP List>>

forceTimebasedAutoLB=true

autoLB = true

I put 2 application stanzas to try and split it at the UF and have different sourcetypes/indexes from that point forward, however, it doesn't seem to work.

If I run a TCP dump, there are zero logs with EventCode 33205 that make it to the heavy forwarders. However, the rest of the logs do make it. Additionally, if I disable the first inputs stanza, then I get 33205 events.

1 Solution

somesoni2
Revered Legend

Add following in the forwarder.

In props.conf:

[WinEventLog:Application]
TRANSFORMS-sqllogs=sqllogs

In transforms.conf:

[sqllogs]
REGEX=(?m)^EventCode=33205
DEST_KEY =_MetaData:Index
FORMAT = mssql

In inputs.conf, just have one monitoring stanza for WinEventLog://Application, like this

 [WinEventLog://Application]
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 index = windows
 renderXml=false

View solution in original post

somesoni2
Revered Legend

Add following in the forwarder.

In props.conf:

[WinEventLog:Application]
TRANSFORMS-sqllogs=sqllogs

In transforms.conf:

[sqllogs]
REGEX=(?m)^EventCode=33205
DEST_KEY =_MetaData:Index
FORMAT = mssql

In inputs.conf, just have one monitoring stanza for WinEventLog://Application, like this

 [WinEventLog://Application]
 start_from = oldest
 current_only = 0
 checkpointInterval = 5
 index = windows
 renderXml=false

ryandg
Communicator

Looks like it still doesn't parse it out, it still keeps going to the original index. I might try to do it at the heavy forwarder level and see if I split it into two stanzas and have one transforms stanza do a negative lookahead to remove the logs from one and then a second transforms to include only those logs.

0 Karma

somesoni2
Revered Legend

Try the same props and transforms on your heavy forwarder.

0 Karma

ryandg
Communicator

Yes! Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...