Getting Data In

How do I go about filtering data with transform.conf?

ksbuchanan
Explorer

I am using universal forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".

I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.

For the sake of simplicity - let's just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.

Thanks for your help!

Contents of props.conf

[WinEventLog:Security]
TRANSFORMS-security = events-null, events-filter

Contents of transform.conf

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
#The last 3...may generate a lot...watch for them
REGEX=(?m)^EventCode=(4720|4722|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4740|4741|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4767|4771|4723|4625|6272|6273|6278)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @ksbuchanan

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

gjanders
SplunkTrust
SplunkTrust

Why not filter at the universal forwarder level ? Refer to blog post Controlling 4662 Messages in the Windows Security Event Log or to Monitor Windows event log data in particular the whitelist/blacklist section

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...