We have a new Splunk server. We have installed the universal forwarder on the server and it is currently sending the events to the main index. We would like all Windows events to go to the Windows index. How do I change where these events are go? I would like to do it from the server side if possible.
Have you tried adding an
index =[your index] line to the inputs.conf file on your forwarder?
No... If I do it that way, every server has to be installed and then configured with the modification. The probability of mistakes on at least some servers is almost 100 percent as we do all of the servers. Is there no way to tell the server to put that traffic in a different index?
You configure your forwarder manually or using deployment server?
I have been doing it manually, but it sounds like you are suggesting that a deployment server might make the configuration a bit easier? We want to ensure we maintain tight security. I will look into the deployment server to see if that makes the process easier / more consistent.
Either using the deployment server (Splunk Only) or using something like Puppet or Chef (universal automation tools) will allow you to manage the entire environment from a single point.
We found an option to modify the props.conf and transforms.conf. We made it work on one Splunk server, but not the second one. The method looks like this on the working server.
REGEX = (.*)
DESTKey = MetaData:Index
WRITE_META = true
Why would it work on one server and not the other.
And I know why it doesn't work, but I don't know what the line means...
In /opt/splunk/etc/system/local/props.conf are some lines that do not exist in the server that works. One of those lines is as follows:
TRANSFORMS = syslog-host
If I comment this line out, the changes made to redirect the security log start working. If I turn it off, the lines stop working. I am guessing an application we installed made this change, but I don't really understand what the line means. Any one understand why this might be needed?
So I think we have the final answer.
In /opt/splunk/etc/system/local/props.conf before anything else in the file (we had a [localhost] section) add the following lines:
[WinEventLog:Security] TRANSFORMS-Windows = windows_security [WinEventLog:System] TRANSFORMS-Windows = windows_system [WinEventLog:Application] TRANSFORMS-Windows = windows_application [WinEventLog:Setup] TRANSFORMS-Windows = windows_setup
Create transforms.conf in /opt/splunk/etc/system/local if it does not exist and add the following lines:
[windows_security] REGEX = (.*) FORMAT = windowsLogs DEST_Key = _MetaData:Index WRITE_META = true [windows_system] REGEX = (.*) FORMAT = windowsLogs DEST_Key = _MetaData:Index WRITE_META = true [windows_application] REGEX = (.*) FORMAT = windowsLogs DEST_Key = _MetaData:Index WRITE_META = true [windows_setup] REGEX = (.*) FORMAT = windowsLogs DEST_Key = _MetaData:Index WRITE_META = true
Make sure you have an index called windowsLogs and then restart the service. All of the logs go to the right location.
Not sure what created the [localhost] entries in the props.conf file or how critical they are. If any one has any insight on whether what we are doing is good or bad, or why the [localhost] entries might be on one server and not the other, that would be greatly appreciated. For right now it looks like we have what we were hoping for.