Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter windows event logs in forwarder based on event codes?

naagaraj
Engager
‎02-27-2020 12:17 AM

Hi,

I am trying to pull event logs from remote machines using universal forwarders. I have done the configuration in the inputs.conf files.
below is the configuration in my inputs.conf file.
[WinEventLog://Application]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://Security]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://System]
disabled = 0
index = win_events
crcSalt = SOURCE

[WinEventLog://Setup]
disabled = 0
index = win_events
crcSalt = SOURCE

Now I dont want all event codes from the logs. I would require only 4800 and 4801.
is there any way in which only the events related to the two events can be forwarded to an index.

Thanks

Labels (1)
Labels
0 Karma
Reply

fulldanad
Path Finder
‎06-16-2023 04:29 AM

[WinEventLog://ForwardedEvents]

disabled = 0

checkpointInterval = 5

current_only = 0

start_from = oldest

index = wineventlog
# Filtering can be done with regex on the following field names :  Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User

whitelist = EventCode=%^(400|1102|4610|4624|4625|4656|4662|4663|4697|4698|4723|4724|4728|4738|4756|4759|4765|4768|4769|4771|4776|4794|1|2|3|7|11|13|22)$%

blacklist01 = User=%^.*\$$%

blacklist02 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

renderXml = true

suppress_text = true

suppress_sourcename= true

suppress_keywords= true

suppress_task = true

suppress_opcode = true

 

0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2020 12:22 PM

Have a look at this: (inputs.conf setting on Universal Forwarder)

https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/MonitorWindowseventlogdata#Create_advanced_f...

OR

https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...