Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

oldguard911
Explorer
‎09-29-2014 02:45 PM

We have a new Splunk server. We have installed the universal forwarder on the server and it is currently sending the events to the main index. We would like all Windows events to go to the Windows index. How do I change where these events are go? I would like to do it from the server side if possible.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oldguard911
Explorer
‎10-02-2014 01:58 PM

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.

View solution in original post

Reply
Solved! Jump to solution
Solution

oldguard911
Explorer
‎10-02-2014 01:58 PM

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.

Reply
Solved! Jump to solution

ltrand
Contributor
‎09-30-2014 08:18 AM

Either using the deployment server (Splunk Only) or using something like Puppet or Chef (universal automation tools) will allow you to manage the entire environment from a single point.

0 Karma
Reply
Solved! Jump to solution

oldguard911
Explorer
‎10-02-2014 01:35 PM

And I know why it doesn't work, but I don't know what the line means...

In /opt/splunk/etc/system/local/props.conf are some lines that do not exist in the server that works. One of those lines is as follows:

TRANSFORMS = syslog-host

If I comment this line out, the changes made to redirect the security log start working. If I turn it off, the lines stop working. I am guessing an application we installed made this change, but I don't really understand what the line means. Any one understand why this might be needed?

0 Karma
Reply
Solved! Jump to solution

oldguard911
Explorer
‎10-02-2014 12:37 PM

We found an option to modify the props.conf and transforms.conf. We made it work on one Splunk server, but not the second one. The method looks like this on the working server.

in /opt/splunk/local/props.conf

add lines

[WinEventLog:Security]
TRANSFFORMS-windows=windows_security

in /opt/splunk/local/transforms.conf

[windows_security]
REGEX = (.*)
FORMAT =
DEST_Key = MetaData:Index
WRITE_META = true

Why would it work on one server and not the other.

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎09-29-2014 03:50 PM

Have you tried adding an index =[your index] line to the inputs.conf file on your forwarder?

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2014 04:57 AM

You configure your forwarder manually or using deployment server?

0 Karma
Reply
Solved! Jump to solution

oldguard911
Explorer
‎09-30-2014 05:31 AM

I have been doing it manually, but it sounds like you are suggesting that a deployment server might make the configuration a bit easier? We want to ensure we maintain tight security. I will look into the deployment server to see if that makes the process easier / more consistent.

0 Karma
Reply
Solved! Jump to solution

oldguard911
Explorer
‎09-30-2014 04:44 AM

No... If I do it that way, every server has to be installed and then configured with the modification. The probability of mistakes on at least some servers is almost 100 percent as we do all of the servers. Is there no way to tell the server to put that traffic in a different index?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top