This is what the book says to do...
On the forwarder, you need to enable the WinEventLog:Security input.
On the indexer you need to create entries in your system/local/props.conf and system/local/transforms.conf
props.conf
[source::*:Security]
TRANSFORMS-set=setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?m)^EventCode=(5410|6913)
DEST_KEY = queue
FORMAT = indexQueue
As of Splunk 6, there is a simpler way to filter which Windows events are forwarded by Splunk.
See whitelist and blacklist in the "Windows Event Log Monitor" section of the following doc: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
This is what the book says to do...
On the forwarder, you need to enable the WinEventLog:Security input.
On the indexer you need to create entries in your system/local/props.conf and system/local/transforms.conf
props.conf
[source::*:Security]
TRANSFORMS-set=setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?m)^EventCode=(5410|6913)
DEST_KEY = queue
FORMAT = indexQueue