Getting Data In

How to configure Splunk to index only security events from Windows machines?

New Member

Can Splunk be configured to index only security events (failed logins, authorization changes, etc) from Windows machines, and not performance information?

Tags (3)
0 Karma

Explorer

Yes, you should use this in you inputs.conf file :

[WinEventLog://Security]
disabled = 0

We do the exact same thing, furthermore we sort out event number we don't need using event ID exctracted from :
http://support.microsoft.com/kb/977519

Here's what our transforms.conf looks like :

[grab]
REGEX =  (?msi).*EventCode=(4624|4634|4625|4740|4767|5143|4670|4670|4663|4670|4670|4660|4663|5143|4657|4720|4722|47239|4724|4738|4725|4726|4738|4727|4731|4728|4732|4729|4733|4730|4734|6144|4674|4674|4674|4608|4609|4610|4611|4612|4614|4616|528|538|540|529|682|531|551|537|539|552|4623|4672|4647|4648|560|562|4656|4658)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

SplunkTrust
SplunkTrust