Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to forward only Windows events (XML) to a 3rd party system?

billy
Loves-to-Learn Everything
‎03-12-2024 05:16 PM

I have a universal forwarder running on my Domain Controller which only captures logon/logff events.

inputs.conf

```

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

```

In my Splunk server I set up forwarding to a 3rd party.

outputs.conf

```

[tcpout]
defaultGroup = nothing

[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false

[tcpout-server://10.2.84.209:9997]

```

props.conf

```

[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo

```

Transforms.conf

```

[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar

```

Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.

What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?

Thanks, Billy

EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2024 01:14 AM

As you are running Universal Forwarder it does not process the transforms by default.

You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).

0 Karma
Reply

KothariSurbhi
Loves-to-Learn Everything
‎04-04-2024 12:51 AM

Hello @billy ,

Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:

 

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security

 

 

2 - You can also configure the files using source instead of sourcetype

 

inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

props.conf - 
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party

transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar

 

If this reply helps you, Karma would be appreciated.

Thanks,
Surbhi

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...