Getting Data In
Highlighted

How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Hello

How do I filter events (Windows event log) on a forwarder? btw how do I install a heavy forwarder?
I have Splunk 6.2.3.

tnx in advance

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

SplunkTrust
SplunkTrust

Take a look at the whitelist and blacklist attributes:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorWindowsdata

You can even use advanced filtering now (see advanced filtering section)

For question number 2, the way you install a HF is exactly the same as any other Splunk Entrerprise instance. Just configure inputs and outputs accordingly and it'll behave like one. Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Deployaheavyforwarder

Hope that helps.

Thanks,
J

Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Tnx for quick reply,
I am unable to see how to download HF , only UF can be downloaded...

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

SplunkTrust
SplunkTrust

UF is a different installer. Everything else comes from the same one. Simply download Splunk Enterprise and configure it to behave like a HF following the instructions I mentioned above.

Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

thanks a lot

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Splunk Employee
Splunk Employee

Full Splunk and a HF are the same instance. The only difference is that a HF is configured not for indexing, but forwarding events upstream to the indexing tier. An HF is also required for some type of Splunk Apps and modular inputs such as DBX, Sourcefire, AWS etc.

Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Hello again,
I have configured heavy forwarder and have specified other Splunk instance to forward data .
I also configured in inputs.conf -Windows system events - whitelist & blacklist , but I am still able to see that other events coming to splunk and filtering isn't working.
Can u pls assist ?
Tnx in advance

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Anyone? ...

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

SplunkTrust
SplunkTrust

Can you paste your inputs.conf stanza here?

0 Karma
Highlighted

Re: How to filter Windows event logs on a Splunk 6.2.3 forwarder?

Path Finder

Sure ,
[default]
host = splunk-102
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"

the same stanza appears in /opt/splunk/etc/apps/splunkappwindowsinfrastructure and in /opt/splunk/etc/apps/SplunkTA_windows

0 Karma