inputs.conf

fernandoandre · ‎01-03-2012

I'm using a set of universal forwarders to send data to a central indexer.

I would like to send events from "WinEventLog:Security" only if, for example, the Event Code is 552 (EventCode=552).

I have read some posts about the same subject, and try some of the suggested solutions. However I haven't been able to make scenarios similar to this one to work, since I still receive all types of events.

My conf files:

inputs.conf

----------------

[WinEventLog:Security]

disabled = 0

index = my_index

start_from = oldest

props.conf

--------------

[WinEventLog:Security]

TRANSFORMS-sec = allowtheseevents

outputs.conf

----------------

[tcpout]

defaultGroup=nullGroup

indexAndForward = 0

[tcpout:nullGroup]

server=0.0.0.0:0000

[tcpout:allowedEventsGroup]

server=(my_server):9997

transforms.conf

---------------------

[allowtheseevents]

REGEX = (?m)^EventCode=552

DEST_KEY = _TCP_ROUTING

FORMAT = allowedEventsGroup

On "transforms.conf" I have also tried something like: "[\w\W]+EventCode\s*=\s*552[\w\W]+"
Can someone help me on this? Thank you.

tgow · ‎01-03-2012

First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder

View solution in original post

How to configure a forwarder to filter and send the specific events I want?

inputs.conf

----------------

props.conf

--------------

outputs.conf

----------------

transforms.conf

---------------------

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!