Getting Data In
Highlighted

How to configure a forwarder to filter and send the specific events I want?

Communicator

I'm using a set of universal forwarders to send data to a central indexer.

I would like to send events from "WinEventLog:Security" only if, for example, the Event Code is 552 (EventCode=552).

I have read some posts about the same subject, and try some of the suggested solutions. However I haven't been able to make scenarios similar to this one to work, since I still receive all types of events.

My conf files:

inputs.conf

----------------

[WinEventLog:Security]

disabled = 0

index = my_index

start_from = oldest

props.conf

--------------

[WinEventLog:Security]

TRANSFORMS-sec = allowtheseevents

outputs.conf

----------------

[tcpout]

defaultGroup=nullGroup

indexAndForward = 0

[tcpout:nullGroup]

server=0.0.0.0:0000

[tcpout:allowedEventsGroup]

server=(my_server):9997

transforms.conf

---------------------

[allowtheseevents]

REGEX = (?m)^EventCode=552

DESTKEY = _TCPROUTING

FORMAT = allowedEventsGroup

On "transforms.conf" I have also tried something like: "[\w\W]+EventCode\s=\s552[\w\W]+"
Can someone help me on this? Thank you.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Communicator

fernandoandre, If I can make a friendly suggestion. Splunk is architect-ed to capture/index ALL data and have you use search queries and other methods to get/view the data you want.
To do this remove your REGEX and FORMAT on your Universal Forwarder client (or remove transform.conf altogether). Restart your UFC.
Then search for the data you are looking for on your search query Web interface.
Ex. = index=* source=WinEventLog:Security AND EventCode=552

If you are looking to be alerted when this occurs you can set up a saved search and a alert to let you know.

Now if you are looking to filter data based on your available bandwidth or license constraints, that's a different story, you can do that. It is just a lot more work.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Communicator

I know it goes against Splunk logic but on this particular case this is really what I need since I only want some events (for example successful/failed logons). The reason for this are simple: 1) I have a very big infrastructure; 2)I want to reduce the traffic on the network. 3) I don't want to index data that I don't need and I don't want to analyze.
My goal is to filter the events at u.forwarder. And believe me, I will receive tons of events on this way.

Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Path Finder

"Splunk is architect-ed to capture/index ALL data"... how convenient for a company that charges per GB indexed per day. Universal Forwarders should allow a regex filter in monitor stream. It only makes sense and doesn't require "parsing" or any Splunk specific technology.

Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Contributor

First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder

View solution in original post

Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Communicator

I didn't remember of the following information/table:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Typesofforwarders#Forwarder_comparison
In fact, it states that the universal forwarder neither does Event parsing or Per-event filtering.
I will try to do the filtering on the indexer but previous to the indexing process.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Communicator

Or as tgow said, you can install a regular/heavy Forwarder on the server sending the alerts.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Communicator

unfortunately that's not an option...smallest footprint possible. Thank you for the help.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

SplunkTrust
SplunkTrust

Is the universal forwarder good for anything? You cant use for python scripted inputs, you cant filter garbage logs, you cant perform many props/transforms actions, and it isn't even built to run as non-root but still be able to monitor the system it is running on. Basically its just a giant hose built to run up your Splunk license.

0 Karma
Highlighted

Re: How to configure a forwarder to filter and send the specific events I want?

Contributor

First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.