Hello
How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.
tnx in advance
Hi, I'm running out of ideas.
The last thing I would suggest is to run the diagnostic tool and upload the output to Dropbox so that I can take a look. Please make sure there's nothing sensitive there that I shouldn't have access to.
How to generate a diag: http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Generateadiag
If I can't find anything in there I would recommend you to open a support call with Splunk as they will be in a much better position than me to debug this problem.
Thanks,
J
See this and scroll down to the attribution_link description.
You can use all the non-enterprise apps with your free license so this is not the problem. Have you changed anything at all in the default directory?
Whatever it is, try to restore it to what it was before so that we can focus in one problem at a time, otherwise it's going to be impossible to find out what's going on.
With regards to my other questions above, did you manage to take a look?
In fact, it might be easier to remove the Windows Infra app until your event log reading problem is solved.
This is a complex app that requires proper planning before deploying and might be having an undesired side effect.
Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.
Hello again,
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance
Anyone? ...
Can you paste your inputs.conf stanza here?
Sure ,
[default]
host = splunk-102
[splunktcp://9997]
[WinEventLog:System]
disabled = 0
whitelist = 7036-7037
blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
the same stanza appears in /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows
Hi, I've fixed several typos in your config. Try the following on your wineventlog section:
[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above
[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist = 4726
And don't forget to restart your splunk service of course.
corrected it and restart the splunk service but still getting the event 4726
Is the whitelist on your System log stanza working at least?
Try the following too that uses advanced filtering. There seems to be some issues on certain versions with blacklists, see this post.
[WinEventLog://System]
disabled = 0
whitelist = 7036-7037
# Blacklist not needed based on the whitelist defined above
[WinEventLog://Security]
disabled = 0
current_only = 1
# Collect everything but the below
blacklist1=EventCode=”4726”
still the same 😞
still the same (
yes, i see the event in splunk (event id 7036)
Tnx for quick reply,
I am unable to see how to download HF , only UF can be downloaded...
UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.
thanks a lot