Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does a LOOKUP and Report command work in a PROPS.CONF ?

pfabrizi
Path Finder
‎10-19-2018 09:19 AM

We have to use Graylog to forward Windows events to our SPLUNK. However we are trying to use CIM model and we have asked the graylog folks to alias some fields. I have been looking at the props.conf from the slunk_ta_windows app and asking our graylog folks to alias the fields to match those in the TA_windows app, which as long as I set the source and source type to wineventlog:security they appear to be working. But I am trying to understand these commands and what they do?

LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security

Once I can understand these I can probably get closer to all the fields I need graylog to send.

Thanks!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...