Getting Data In

How do I go about filtering data with transform.conf?

ksbuchanan
Explorer

I am using universal forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".

I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.

For the sake of simplicity - let's just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.

Thanks for your help!

Contents of props.conf

[WinEventLog:Security]
TRANSFORMS-security = events-null, events-filter

Contents of transform.conf

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
#The last 3...may generate a lot...watch for them
REGEX=(?m)^EventCode=(4720|4722|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4740|4741|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4767|4771|4723|4625|6272|6273|6278)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @ksbuchanan

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

gjanders
SplunkTrust
SplunkTrust

Why not filter at the universal forwarder level ? Refer to blog post Controlling 4662 Messages in the Windows Security Event Log or to Monitor Windows event log data in particular the whitelist/blacklist section

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.