- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to filter Windows event logs on a Splunk 6...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.
tnx in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm running out of ideas.
The last thing I would suggest is to run the diagnostic tool and upload the output to Dropbox so that I can take a look. Please make sure there's nothing sensitive there that I shouldn't have access to.
How to generate a diag: http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Generateadiag
If I can't find anything in there I would recommend you to open a support call with Splunk as they will be in a much better position than me to debug this problem.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See this and scroll down to the attribution_link description.
You can use all the non-enterprise apps with your free license so this is not the problem. Have you changed anything at all in the default directory?
Whatever it is, try to restore it to what it was before so that we can focus in one problem at a time, otherwise it's going to be impossible to find out what's going on.
With regards to my other questions above, did you manage to take a look?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact, it might be easier to remove the Windows Infra app until your event log reading problem is solved.
This is a complex app that requires proper planning before deploying and might be having an undesired side effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again,
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone? ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you paste your inputs.conf stanza here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure ,
[default]
host = splunk-102
[splunktcp://9997]
[WinEventLog:System]
disabled = 0
only index events with these event IDs.
whitelist = 7036-7037
exclude these event IDs from being indexed.
blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
the same stanza appears in /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I've fixed several typos in your config. Try the following on your wineventlog section:
[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above
[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist = 4726
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And don't forget to restart your splunk service of course.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corrected it and restart the splunk service but still getting the event 4726
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the whitelist on your System log stanza working at least?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following too that uses advanced filtering. There seems to be some issues on certain versions with blacklists, see this post.
[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above
[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist1=EventCode=”4726”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still the same 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still the same (
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, i see the event in splunk (event id 7036)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tnx for quick reply,
I am unable to see how to download HF , only UF can be downloaded...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
