I'm trying to use advanced whitefilter, but I'm coming up short. Basically, I want to index all Windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for.
Perhaps I can do transforms?
If severity ID maps to Level, sure. I'm not seeing that referenced in the docs. Just take your event log and filter for Critical. That's all I'm looking for.
I don't have any in my test env.
You can use any of them, like Error or Warning.
Not exactly what you are looking for, I know, but you could try to blacklist unwanted events instead and see if that works for you:
blacklist = Type="(Information)"
Alternatively, you could run a network trace to see if the level field is collected by the Splunk UF and in what form and then whitelist only that. I'll try to set that up in my lab and see what I get.
Assuming you are using Universal Forwarders on your Windows servers, you could use the blacklist facility in inputs.conf
.
For example the Splunk Add-on for Microsoft Windows comes with this blacklist by default for security log events:
[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
The reference documentation is here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_whitelist_and_blackli...
Well, I see the field "Level" in the XML of most event logs. Splunk isn't pulling that field by default. If I could get this field working, I could do it this way but not sure how the rendering of XML comes into play.
What's your current setup to pull Windows Log Events into Splunk at the moment?
What do the events look like?
Using the standard universal forwarder.
[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724
Say for example I wanted to turn this into pulling only Critical level events. The Level field is numeric, always seems to be 1. I know it exists because I can see it in XML View in Event Log viewer, on a PC.