Getting Data In

How do I get a Splunk universal forwarder to send explicit Event ID Events Only?

johann2017
Explorer

Hello,

I'm interested in installing universal forwarders (UF) on machines to ingest local security event logs into Splunk. However, I don't want every single security event log sent from the UFs to the heavy forwarder.

This leads to two questions:
1. Am I able to specify exactly which Event log IDs to send?
2. In addition to specifying Event Log IDs, can I get more granular and, for instance, send only Event ID 4732 logs (a member was added to a security-enabled group) but specify ONLY to send if it matches additional criteria — for members added to particular groups such as the local administrators group?

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

Yes Its definitely possible to filter by IDs. I would recommend you have a quick read of this PDF from the experts at Aplura:
https://www.aplura.com/docs/SplunkWindowsEventLogs.pdf

It has some very good links to blacklists that you can use to filter the events and reduce your ingest.

All the best.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

Yes Its definitely possible to filter by IDs. I would recommend you have a quick read of this PDF from the experts at Aplura:
https://www.aplura.com/docs/SplunkWindowsEventLogs.pdf

It has some very good links to blacklists that you can use to filter the events and reduce your ingest.

All the best.

0 Karma

johann2017
Explorer

Thanks I think that will get me kickstarted!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...