Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to forward only Windows events (XML) to a 3rd party system?

billy
Loves-to-Learn Everything
‎03-12-2024 05:16 PM

I have a universal forwarder running on my Domain Controller which only captures logon/logff events.

inputs.conf

```

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

```

In my Splunk server I set up forwarding to a 3rd party.

outputs.conf

```

[tcpout]
defaultGroup = nothing

[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false

[tcpout-server://10.2.84.209:9997]

```

props.conf

```

[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo

```

Transforms.conf

```

[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar

```

Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.

What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?

Thanks, Billy

EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2024 01:14 AM

As you are running Universal Forwarder it does not process the transforms by default.

You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).

0 Karma
Reply

KothariSurbhi
Loves-to-Learn Everything
‎04-04-2024 12:51 AM

Hello @billy ,

Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:

 

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security

 

 

2 - You can also configure the files using source instead of sourcetype

 

inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

props.conf - 
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party

transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar

 

If this reply helps you, Karma would be appreciated.

Thanks,
Surbhi

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...