Getting Data In

How to filter Windows event logs on a Splunk 6.2.3 forwarder?

vad34
Path Finder

Hello

How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.

tnx in advance

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi, I'm running out of ideas.
The last thing I would suggest is to run the diagnostic tool and upload the output to Dropbox so that I can take a look. Please make sure there's nothing sensitive there that I shouldn't have access to.

How to generate a diag: http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Generateadiag

If I can't find anything in there I would recommend you to open a support call with Splunk as they will be in a much better position than me to debug this problem.

Thanks,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

See this and scroll down to the attribution_link description.
You can use all the non-enterprise apps with your free license so this is not the problem. Have you changed anything at all in the default directory?

Whatever it is, try to restore it to what it was before so that we can focus in one problem at a time, otherwise it's going to be impossible to find out what's going on.

With regards to my other questions above, did you manage to take a look?

0 Karma

javiergn
SplunkTrust
SplunkTrust

In fact, it might be easier to remove the Windows Infra app until your event log reading problem is solved.

This is a complex app that requires proper planning before deploying and might be having an undesired side effect.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.

vad34
Path Finder

Hello again,
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance

0 Karma

vad34
Path Finder

Anyone? ...

0 Karma

javiergn
SplunkTrust
SplunkTrust

Can you paste your inputs.conf stanza here?

0 Karma

vad34
Path Finder

Sure ,
[default]
host = splunk-102
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"

the same stanza appears in /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, I've fixed several typos in your config. Try the following on your wineventlog section:

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above

[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist = 4726
0 Karma

javiergn
SplunkTrust
SplunkTrust

And don't forget to restart your splunk service of course.

0 Karma

vad34
Path Finder

corrected it and restart the splunk service but still getting the event 4726

0 Karma

javiergn
SplunkTrust
SplunkTrust

Is the whitelist on your System log stanza working at least?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try the following too that uses advanced filtering. There seems to be some issues on certain versions with blacklists, see this post.

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above

[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist1=EventCode=”4726”
0 Karma

vad34
Path Finder

still the same 😞

0 Karma

vad34
Path Finder

still the same (

0 Karma

vad34
Path Finder

yes, i see the event in splunk (event id 7036)

0 Karma

vad34
Path Finder

Tnx for quick reply,
I am unable to see how to download HF , only UF can be downloaded...

0 Karma

javiergn
SplunkTrust
SplunkTrust

UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.

vad34
Path Finder

thanks a lot

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...