Getting Data In

How to forward only Windows events (XML) to a 3rd party system?

billy
Loves-to-Learn Everything

I have a universal forwarder running on my Domain Controller which only captures logon/logff events.

inputs.conf

```

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

```

In my Splunk server I set up forwarding to a 3rd party.

outputs.conf

```

[tcpout]
defaultGroup = nothing

[tcpout:foobar]
server = 10.2.84.209:9997
sendCookedData = false

[tcpout-server://10.2.84.209:9997]

```

props.conf

```

[XmlWinEventLog:Security]
TRANSFORMS-Xml=foo

```

Transforms.conf

```

[foo]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=foobar

```

Before creating/editing these conf files I am still seeing lots of non- Windows events being sent to the destination. With these confs in place I am not seeing any events being forwarded.

What's the easiest fix to my conf files so that I only send XMLs to the 3rd party system?

Thanks, Billy

EDIT: What markup does this forum use? single/triple backticks dont work, nor is <pre></pre>

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

As you are running Universal Forwarder it does not process the transforms by default.

You could try enabling force_local_processing option for a sourcetype but it's not very well docummented and generally not advisable since it increases load on the UF (which is supposed to be as lightweight as possible).

0 Karma

KothariSurbhi
Loves-to-Learn Everything

Hello @billy ,

Can you please use the configuration provided below, where I've added the sourcetype in inputs.conf:

 

[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634
sourcetype = XmlWinEventLog:Security

 

 

2 - You can also configure the files using source instead of sourcetype

 

inputs.conf -
[WinEventLog://Security]
disabled = 0
current_only
renderXml = 1
whitelist = 4624, 4634

props.conf - 
[source::XmlWinEventLog:Security]
TRANSFORMS-Xml = send_to_3rd_party

transforms.conf
[send_to_3rd_party]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = foobar

 

If this reply helps you, Karma would be appreciated.

Thanks,
Surbhi

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...