Hi all,
I am trying to set up WindowsEventLog to send all events with EventCode=4648
to one index, wineventlog_4648
, and the remainder to a second index, wineventlog
.
My progress so far has leaned heavily on this answer: https://answers.splunk.com/answers/565511/can-i-use-clone-sourcetype-to-send-events-to-multi.html.
However, I have been unable to get it to work. Am I fundamentally misunderstanding how some of these fields operate? To start, I am fine with duplicate entries but have not been able to populate wineventlog_4648
with any events.
Any guidance would be greatly appreciated.
inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
props.conf
[WinEventLog://Security]
TRANSFORMS-WinEventLog_4648
transforms.conf
[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
SOURCE_KEY = field:EventCode
REGEX = /4648/
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Hey @woodcock
Thanks for the help. You were right about the name in props.conf.
I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE
props.conf
[WinEventLog:Security]
TRANSFORMS-routing = routeSubset
transform.conf
[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Thanks for helping me think of different ways to approach it.
Hey @woodcock
Thanks for the help. You were right about the name in props.conf.
I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE
props.conf
[WinEventLog:Security]
TRANSFORMS-routing = routeSubset
transform.conf
[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Thanks for helping me think of different ways to approach it.
I converted your comment to an answer. You should click Accept
on it to close the question.
My other answer is true but you have other problems. This:
SOURCE_KEY = field:EventCode
Should be this:
SOURCE_KEY = EventCode
But even that won't work because the CLONE_SOURCETYPE
feature is an index-time function and the EventCode
field is not an index-time field so it doesn't yet exist to be used as SOURCE_KEY
. Try this instead for transforms.conf:
[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
REGEX = EventCode=4648
Your problem is in props.conf. This part is wrong:
[WinEventLog://Security]
It must match your sourcetype
value exactly, so it should probably be this (but check your events to be sure):
[WinEventLog:Security]
Unfortunately this did not solve it. Thank you though.