Getting Data In

How to monitor a specific Windows Application EventCode?

Path Finder

I'm trying to monitor a specific Windows Application EventCode (via a whitelist), yet the events are not being sent to Splunk.

I've found numerous posts on the answers site, most of them with different configs, but I've yet to find one that works. What's stated in the documentation (http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata#Create_advanced_fi...) does not work as specified.

I've tried both of these stanzas with no luck:

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="^3000$"

[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="3000"

I'm running v6.6.1. Any help would be appreciated.
Thanks.

0 Karma

Esteemed Legend

You need to deploy these settings to your indexing server (usually your Indexer Tier but it could be your Heavy Forwarder).
You need to restart all Splunk instances there.
You need to verify it by checking ONLY events that have been indexed since the restart ( _index_earliest=-5m@m or similar) because existing events will stay (you can use delete to hide them).

0 Karma

Path Finder

The approach Giuseppe suggested is not one I'm exploring. I'm confident this can be done via a whitelist on the UF, not on the Indexers.

0 Karma

Esteemed Legend

My answer is not "an approach"; it is a deployment and testing methodology regardless of what approach you do use. In other words, the problem is probably not in "your approach".

0 Karma

Path Finder

I don't think the quotes are needed (I don't see them in the actual Event Log details).

I've tried all of the following with no luck:
1. whitelist = EventCode=\"3000\"
2. whitelist = EventCode=3000
3. whitelist = EventCode=3000

The documentation is very straightforward as to how this should work. Very frustrating it doesn't function as advertised.

0 Karma

Legend

Hi ericlarsen,
at first verify if regex is correct using a simple searchç:
index=wineventlog | regex "EventCode=3000"
you should have only events with EvenCode=3000.
Sometimes EventCode is expressed as EventId and sometimes there are spaces.

If regex is correct I suggest to use a different approach to filter events: see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad and filter data before indexing.
I know that this requireme more bandwidht occupation but it's a sure method.

Bye.
Giuseppe

0 Karma

Path Finder

Thanks for the response.

I've verified that index=myIndex | regex "EventCode=3000" works in the search bar.

Are you suggesting using a HF to filter events before they're ingested?
Thanks.

0 Karma

Legend

No, in your indexers you can filter events following the URL I mentioned.
In other words, you have to insert in
props.conf

[WinEventLog:Security]
TRANSFORMS-set-3000=set_nullqueue,set_3000

transforms.conf

#discard
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
#take
[set_3000]
REGEX=EventCode\=3000
DEST_KEY = queue
FORMAT = indexQueue

In this way on sourcetype WinEventLog:Security you take only events with EventCode=3000

Bye.
Giuseppe

0 Karma

Legend

Hi ericlarsen,
in whitelist, you have to insert a regex not a string, try with

whitelist = EventCode\=\"3000\"

check if the message is effectively EventCode="3000", I'm not sure of brackets.

Bye.
Giuseppe

0 Karma