Getting Data In

How to configure Splunk to index only security events from Windows machines?

New Member

Can Splunk be configured to index only security events (failed logins, authorization changes, etc) from Windows machines, and not performance information?

Tags (3)
0 Karma


Yes, you should use this in you inputs.conf file :

disabled = 0

We do the exact same thing, furthermore we sort out event number we don't need using event ID exctracted from :

Here's what our transforms.conf looks like :

REGEX =  (?msi).*EventCode=(4624|4634|4625|4740|4767|5143|4670|4670|4663|4670|4670|4660|4663|5143|4657|4720|4722|47239|4724|4738|4725|4726|4738|4727|4731|4728|4732|4729|4733|4730|4734|6144|4674|4674|4674|4608|4609|4610|4611|4612|4614|4616|528|538|540|529|682|531|551|537|539|552|4623|4672|4647|4648|560|562|4656|4658)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma