Getting Data In
Highlighted

How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

We have a new Splunk server. We have installed the universal forwarder on the server and it is currently sending the events to the main index. We would like all Windows events to go to the Windows index. How do I change where these events are go? I would like to do it from the server side if possible.

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Builder

Have you tried adding an index =[your index] line to the inputs.conf file on your forwarder?

Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

No... If I do it that way, every server has to be installed and then configured with the modification. The probability of mistakes on at least some servers is almost 100 percent as we do all of the servers. Is there no way to tell the server to put that traffic in a different index?

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

SplunkTrust
SplunkTrust

You configure your forwarder manually or using deployment server?

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

I have been doing it manually, but it sounds like you are suggesting that a deployment server might make the configuration a bit easier? We want to ensure we maintain tight security. I will look into the deployment server to see if that makes the process easier / more consistent.

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Contributor

Either using the deployment server (Splunk Only) or using something like Puppet or Chef (universal automation tools) will allow you to manage the entire environment from a single point.

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

We found an option to modify the props.conf and transforms.conf. We made it work on one Splunk server, but not the second one. The method looks like this on the working server.

in /opt/splunk/local/props.conf

add lines

[WinEventLog:Security]
TRANSFFORMS-windows=windows_security

in /opt/splunk/local/transforms.conf

[windowssecurity]
REGEX = (.*)
FORMAT =
DEST
Key = MetaData:Index
WRITE_META = true

Why would it work on one server and not the other.

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

And I know why it doesn't work, but I don't know what the line means...

In /opt/splunk/etc/system/local/props.conf are some lines that do not exist in the server that works. One of those lines is as follows:

TRANSFORMS = syslog-host

If I comment this line out, the changes made to redirect the security log start working. If I turn it off, the lines stop working. I am guessing an application we installed made this change, but I don't really understand what the line means. Any one understand why this might be needed?

0 Karma
Highlighted

Re: How to configure universal forwarder to forward all Windows events to the Windows index, not main index?

Explorer

So I think we have the final answer.

In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:

[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog:System]
TRANSFORMS-Windows = windows_system

[WinEventLog:Application]
TRANSFORMS-Windows = windows_application

[WinEventLog:Setup]
TRANSFORMS-Windows = windows_setup

Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:

[windows_security]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_system]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_application]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

[windows_setup]
REGEX = (.*)
FORMAT = windowsLogs
DEST_Key = _MetaData:Index
WRITE_META = true

Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.

Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.

View solution in original post