How to monitor a specific Windows Application Even...

ericlarsen · ‎08-31-2017

I'm trying to monitor a specific Windows Application EventCode (via a whitelist), yet the events are not being sent to Splunk.

I've found numerous posts on the answers site, most of them with different configs, but I've yet to find one that works. What's stated in the documentation (http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata#Create_advanced_fi...) does not work as specified.

I've tried both of these stanzas with no luck:

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="^3000$"

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="3000"

I'm running v6.6.1. Any help would be appreciated.
Thanks.

woodcock · ‎09-03-2017

You need to deploy these settings to your indexing server (usually your Indexer Tier but it could be your Heavy Forwarder).
You need to restart all Splunk instances there.
You need to verify it by checking ONLY events that have been indexed since the restart ( _index_earliest=-5m@m or similar) because existing events will stay (you can use delete to hide them).

ericlarsen · ‎09-05-2017

The approach Giuseppe suggested is not one I'm exploring. I'm confident this can be done via a whitelist on the UF, not on the Indexers.

woodcock · ‎09-09-2017

My answer is not "an approach"; it is a deployment and testing methodology regardless of what approach you do use. In other words, the problem is probably not in "your approach".

ericlarsen · ‎08-31-2017

I don't think the quotes are needed (I don't see them in the actual Event Log details).

I've tried all of the following with no luck:
1. whitelist = EventCode=\"3000\"
2. whitelist = EventCode=3000
3. whitelist = EventCode=3000

The documentation is very straightforward as to how this should work. Very frustrating it doesn't function as advertised.

gcusello · ‎09-01-2017

Hi ericlarsen,
at first verify if regex is correct using a simple searchç:
index=wineventlog | regex "EventCode=3000"
you should have only events with EvenCode=3000.
Sometimes EventCode is expressed as EventId and sometimes there are spaces.

If regex is correct I suggest to use a different approach to filter events: see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad and filter data before indexing.
I know that this requireme more bandwidht occupation but it's a sure method.

Bye.
Giuseppe

ericlarsen · ‎09-01-2017

Thanks for the response.

I've verified that index=myIndex | regex "EventCode=3000" works in the search bar.

Are you suggesting using a HF to filter events before they're ingested?
Thanks.

gcusello · ‎09-01-2017

No, in your indexers you can filter events following the URL I mentioned.
In other words, you have to insert in
props.conf

[WinEventLog:Security]
TRANSFORMS-set-3000=set_nullqueue,set_3000

transforms.conf

#discard
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
#take
[set_3000]
REGEX=EventCode\=3000
DEST_KEY = queue
FORMAT = indexQueue

In this way on sourcetype WinEventLog:Security you take only events with EventCode=3000

Bye.
Giuseppe

gcusello · ‎08-31-2017

Hi ericlarsen,
in whitelist, you have to insert a regex not a string, try with

whitelist = EventCode\=\"3000\"

check if the message is effectively EventCode="3000", I'm not sure of brackets.

Bye.
Giuseppe

How to monitor a specific Windows Application EventCode?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies