Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to forward only Windows events (XML) to a 3rd party system?

billy
Loves-to-Learn Everything
‎03-12-2024 05:16 PM

I have a universal forwarder running on my Domain Controller which only captures logon/logff events.

inputs.conf

```

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

```

In my Splunk server I set up forwarding to a 3rd party.

outputs.conf

```

[tcpout]
defaultGroup = nothing

[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false

[tcpout-server://10.2.84.209:9997]

```

props.conf

```

[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo

```

Transforms.conf

```

[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar

```

Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.

What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?

Thanks, Billy

EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2024 01:14 AM

As you are running Universal Forwarder it does not process the transforms by default.

You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).

0 Karma
Reply

KothariSurbhi
Loves-to-Learn Everything
‎04-04-2024 12:51 AM

Hello @billy ,

Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:

 

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security

 

 

2 - You can also configure the files using source instead of sourcetype

 

inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

props.conf - 
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party

transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar

 

If this reply helps you, Karma would be appreciated.

Thanks,
Surbhi

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...