Getting Data In

How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Hello

How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.

tnx in advance

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi, I'm running out of ideas.
The last thing I would suggest is to run the diagnostic tool and upload the output to Dropbox so that I can take a look. Please make sure there's nothing sensitive there that I shouldn't have access to.

How to generate a diag: http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Generateadiag

If I can't find anything in there I would recommend you to open a support call with Splunk as they will be in a much better position than me to debug this problem.

Thanks,
J

View solution in original post

0 Karma

Path Finder

Tnx for quick reply, really appreciate it!!

the inputs.conf exists in /opt/splunk/etc/system/local/
[root@splunk-102 local]# vi inputs.conf
[default]
host = splunk-102
[splunktcp://9997]

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037

[WinEventLog://Security]
disabled = 0
blacklist = 4726

0 Karma

SplunkTrust
SplunkTrust

Hi, the inputs.conf file looks all right to me.

  • Is it definitely not working?
  • Did you install your UF in a new server? Is it the only instance of Splunk running there?
  • Did you install the splunkappwindowsinfrastructure and SplunkTA_windows apps? If so, why? In principle you don't need those apps to read event logs as this is natively supported by Splunk so I would move them outside the apps directory for now until your problem is solved.
0 Karma

Path Finder

maybe because of using Splunk free license?

0 Karma

Path Finder

Hi, i have removed the windows app for splunk and reinstalled again, still the same 😞

0 Karma

SplunkTrust
SplunkTrust

Hi,

I'm assuming this is your inputs.conf and your blacklist is still not working:

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037

[WinEventLog://Security]
disabled = 0
blacklist = 4726

Could you try debugging your inputs file with btool? See this

 ./splunk cmd btool inputs list --debug
0 Karma

Path Finder

Hi, tnx for quick reply
all seems ok beside this : Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunkappwi ndowsinfrastructure/default/app.conf, line 14: attributionlink (value: app.a ttributions).

0 Karma

SplunkTrust
SplunkTrust

Hi, I thought you had removed the windows app from there:

  • Stop splunk
  • Delete (or move somewhere else) the whole "/opt/splunk/etc/apps/splunkappwindows_infrastructure"
  • Start splunk

Can you also post the output of your btool inputs command here?

0 Karma

Path Finder

I removed the win app and restarted splunk,
can u pls write here your email address in order to send you output file (its too big to paste here)?

0 Karma

SplunkTrust
SplunkTrust

Hi, people usually paste big outputs on pastebin or GitHub and then post the link in here. This way everybody will get access to it.

0 Karma

Path Finder
0 Karma

SplunkTrust
SplunkTrust

Hi, by looking at the Security Log section I think there's a conflict between the Splunktawindows and your system local config. This is not the case for the System Log section. See below:

[WinEventLog://Security]
/opt/splunk/etc/system/default/inputs.conf                             _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf                               blacklist = 4726
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf             blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf             blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

If I were you I would comment out blacklist1 and 2 in /opt/splunk/etc/apps/SplunkTAwindows/default/inputs.conf and see if that solves the problem. Keep in mind you shouldn't make changes on default files so once we find the problem make sure you roll this back.

Alternatively move the whole Splunktawindows somewhere else temporarily (or permanently if you don't need it just yet).

0 Karma

Path Finder
0 Karma

Path Finder

Hello , i performed the correction to the blacklist = 4726 , but still able to see the event in splunk
i removed the server class-system & security and now unable to see system & security events.
Is there no way to config input.conf to see events without server classes?
Tnx

0 Karma

SplunkTrust
SplunkTrust

Hi, take a look at the following line:

/opt/splunk/etc/system/local/inputs.conf                               blacklist = EventCode="4726" Message="Object Type:\s+(?!groupPolicyContainer)"

The syntax is wrong and it should be either:

blacklist = 4726

Or:

blacklist1 = EventCode="4726" Message="Object Type:\s+(?!groupPolicyContainer)"

Edit "/opt/splunk/etc/system/local/inputs.conf " and try the first one (easier). Restart splunk and let me know. As you can see debugging with btool is one of the most efficient ways to find out what's going on.

Thanks,
J

0 Karma

Path Finder
0 Karma

SplunkTrust
SplunkTrust

Hi, I don't think you included all the flags. The output does not contain any details. This is the syntax:

  ./splunk cmd btool inputs list --debug
0 Karma

Path Finder

Hello , i performed it but still no result

0 Karma

SplunkTrust
SplunkTrust

Hi, can you upload the new btool output for your inputs.conf file in order to see the effective changes?

0 Karma

Path Finder

OK, I tried but still able to see the event ID 4726 😞

0 Karma

SplunkTrust
SplunkTrust

I'm running out of ideas.

  • When you said before 7036 is working fine in your System stanza, are there any System events outside the specified range (7036-7037) arriving at all?
  • Have you tried removing the current_only attribute in your Security stanza?
  • Maybe there's a conflict with other apps. Could you try debugging your inputs file with btool? See this ./splunk cmd btool inputs list --debug
  • Can you try downloading and installing the latest version of Splunk (6.3.2)?
  • The following stanza should work just fine so if I were you and none of the above works, I would raise a support call with Splunk and try to find out what's going on.

    [WinEventLog://System]
    disabled = 0
    whitelist = 7036-7037

    [WinEventLog://Security]
    disabled = 0
    blacklist = 4726

0 Karma

Path Finder

Tnx , for assistance. appreciate it. splunk version is 6.3.2 , i tried without current_only attribute in Security stanza

i see this message while restarting the splunk service :
Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunkappwindowsinfrastructure/default/app.conf, line 14: attributionlink (value: app.attributions).

0 Karma