Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to forward only Windows events (XML) to a 3rd party system?

billy
Loves-to-Learn Lots
‎03-12-2024 05:16 PM

I have a universal forwarder running on my Domain Controller which only captures logon/logff events.

inputs.conf

```

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

```

In my Splunk server I set up forwarding to a 3rd party.

outputs.conf

```

[tcpout]
defaultGroup = nothing

[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false

[tcpout-server://10.2.84.209:9997]

```

props.conf

```

[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo

```

Transforms.conf

```

[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar

```

Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.

What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?

Thanks, Billy

EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2024 01:14 AM

As you are running Universal Forwarder it does not process the transforms by default.

You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).

0 Karma
Reply

KothariSurbhi
Loves-to-Learn Lots
‎04-04-2024 12:51 AM

Hello @billy ,

Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:

 

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security

 

 

2 - You can also configure the files using source instead of sourcetype

 

inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

props.conf - 
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party

transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar

 

If this reply helps you, Karma would be appreciated.

Thanks,
Surbhi

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...