Getting Data In

How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911
Explorer

We have a new Splunk server. We have installed the universal forwarder on the server and it is currently sending the events to the main index. We would like all Windows events to go to the Windows index. How do I change where these events are go? I would like to do it from the server side if possible.

0 Karma
1 Solution

oldguard911
Explorer

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.

View solution in original post

oldguard911
Explorer

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.

ltrand
Contributor

Either using the deployment server (Splunk Only) or using something like Puppet or Chef (universal automation tools) will allow you to manage the entire environment from a single point.

0 Karma

oldguard911
Explorer

And I know why it doesn't work, but I don't know what the line means...

In /opt/splunk/etc/system/local/props.conf are some lines that do not exist in the server that works. One of those lines is as follows:

TRANSFORMS = syslog-host

If I comment this line out, the changes made to redirect the security log start working. If I turn it off, the lines stop working. I am guessing an application we installed made this change, but I don't really understand what the line means. Any one understand why this might be needed?

0 Karma

oldguard911
Explorer

We found an option to modify the props.conf and transforms.conf. We made it work on one Splunk server, but not the second one. The method looks like this on the working server.

in /opt/splunk/local/props.conf

add lines

[WinEventLog:Security]
TRANSFFORMS-windows=windows_security

in /opt/splunk/local/transforms.conf

[windows_security]
REGEX = (.*)
FORMAT =
DEST_Key = MetaData:Index
WRITE_META = true

Why would it work on one server and not the other.

0 Karma

sk314
Builder

Have you tried adding an index =[your index] line to the inputs.conf file on your forwarder?

somesoni2
Revered Legend

You configure your forwarder manually or using deployment server?

0 Karma

oldguard911
Explorer

I have been doing it manually, but it sounds like you are suggesting that a deployment server might make the configuration a bit easier? We want to ensure we maintain tight security. I will look into the deployment server to see if that makes the process easier / more consistent.

0 Karma

oldguard911
Explorer

No... If I do it that way, every server has to be installed and then configured with the modification. The probability of mistakes on at least some servers is almost 100 percent as we do all of the servers. Is there no way to tell the server to put that traffic in a different index?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...