Getting Data In
Highlighted

How do I get a Splunk universal forwarder to send explicit Event ID Events Only?

Explorer

Hello,

I'm interested in installing universal forwarders (UF) on machines to ingest local security event logs into Splunk. However, I don't want every single security event log sent from the UFs to the heavy forwarder.

This leads to two questions:
1. Am I able to specify exactly which Event log IDs to send?
2. In addition to specifying Event Log IDs, can I get more granular and, for instance, send only Event ID 4732 logs (a member was added to a security-enabled group) but specify ONLY to send if it matches additional criteria — for members added to particular groups such as the local administrators group?

0 Karma
Highlighted

Re: How do I get a Splunk universal forwarder to send explicit Event ID Events Only?

SplunkTrust
SplunkTrust

Hi @johann2017

Yes Its definitely possible to filter by IDs. I would recommend you have a quick read of this PDF from the experts at Aplura:
https://www.aplura.com/docs/SplunkWindowsEventLogs.pdf

It has some very good links to blacklists that you can use to filter the events and reduce your ingest.

All the best.

View solution in original post

0 Karma
Highlighted

Re: How do I get a Splunk universal forwarder to send explicit Event ID Events Only?

Explorer

Thanks I think that will get me kickstarted!

0 Karma