I'm using a set of universal forwarders to send data to a central indexer.
I would like to send events from "WinEventLog:Security" only if, for example, the Event Code is 552 (EventCode=552).
I have read some posts about the same subject, and try some of the suggested solutions. However I haven't been able to make scenarios similar to this one to work, since I still receive all types of events.
My conf files:
[WinEventLog:Security]
disabled = 0
index = my_index
start_from = oldest
[WinEventLog:Security]
TRANSFORMS-sec = allowtheseevents
[tcpout]
defaultGroup=nullGroup
indexAndForward = 0
[tcpout:nullGroup]
server=0.0.0.0:0000
[tcpout:allowedEventsGroup]
server=(my_server):9997
[allowtheseevents]
REGEX = (?m)^EventCode=552
DEST_KEY = _TCP_ROUTING
FORMAT = allowedEventsGroup
On "transforms.conf" I have also tried something like: "[\w\W]+EventCode\s*=\s*552[\w\W]+"
Can someone help me on this? Thank you.
First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder