I'm currently trying to whilelist incoming Windows events by EventCode, but it doesn't actually filter the events. I've searched through various documentations, but can't seem to find the right settings.
Here's what I did:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. (I also tried whitelist = 4663 ) whitelist1 = EventCode=4663 # exclude these event IDs from being indexed. # blacklist =
I'm still a bit confused about which inputs.conf is for what (if anyone has a good documentation for that...)
Did I chose the right one? I tried restarting Splunk, but it's still indexing the wrong events.
What am I missing?
the best documentation you can find is at https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf.
If your filter doesn't run verify the regex you used in your whitelist.
thanks for the reply.
From the documentation:
# Event Log filtering # # Filtering at the input layer is desirable to reduce the total # processing load in network transfer and computation on the Splunk # nodes that acquire and processing Event Log data. whitelist = <list of eventIDs> | key=regex [key=regex] blacklist = <list of eventIDs> | key=regex [key=regex] [...] * These settings are optional. * Both numbered and unnumbered whitelists and blacklists support two formats: * A comma-separated list of event IDs. * A list of key=regular expression pairs. * You cannot combine these formats. You can use either format on a specific line.
so I adjusted my inputs.conf to
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 # only index events with these event IDs. # whitelist = EventCode="4663" whitelist = 4663 # exclude these event IDs from being indexed. #blacklist = 2001-3000
but still with the same result. It can't be the regex because I actually don't want to mess with it when I can just take the super easy approach.
I don't think that it's correct
whitelist = 4663 but it should be better
whitelist = EventCode=4663 or
whitelist = EventCode\=4663.
In https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf there is an example
whitelist = EventCode=%^200$%
I usually don't filter events in Universal Forwarder but only on the Indexers.
whitelist = EventCode\=4663 and
whitelist = EventCode=%^4663$% but both didn't work.
My problem is that I want to get that one EventCode, but it's generated with a lot of other noise around it that I don't want indexed, mostly because it would hit the liscense pretty hard without any good reason.
Do you know any other way that would be possible?
It's possible and I did it, but I used a different approach: I filtered events on the indexers, I didn't use whitelist.
I know that this solves only the Splunk license problem and don't eliminate network traffic but gives me more control on the filter.
can you tell me how you did it?
I'm not that concerned about network traffic.
Just to be clear, I'm not using forwarders or any fancy setups. All I have is the Splunk server on one machine and the file server on another. The Splunk server is getting the events by itself and I want not all these events filtered.
maybe my first approach wasn't the right one?
I think that you should use a Universal Forwarder on the file server, in this way file transfer between file server and Splunk server is optimized in very many ways (compression, cache, bandwidth, etc...
Every way, to filter events (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad) you have to edit:
[your_sourcetype] TRANSFORMS-null= setnull
[setnull] REGEX = EventCode\=4663 DEST_KEY = queue FORMAT = nullQueue
and restart Splunk