Hi,
I would like to forward only successful and failed Windows login attempts from my Windows 2008 Server to my RHEL forwarder. How do I go about configuring this?
My thanks in advance
Have you looked at this section of the docs?
http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_an...
You would probably need something like;
in props.conf
[WinEventLog:Security]
TRANSFORMS-winevt=winevtnull, winevtparsing
in transforms.conf
[winevtnull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue
[winevtparsing]
REGEX=(?m)^EventCode=(AAAA|BBBB|CCCC|DDDD)
DEST_KEY=queue
FORMAT=indexQueue
Where AAAA, BBBB etc would be the EventCodes you are interested in keeping. Haven't tried it with WinEventLogs before myself, but this is what the good book says.
UPDATED to remove references [WMI:WinEventLog:Security] and WMI stuff in general. See comments below for more info.
Hope this helps,
Kristian
it works perfectly now, I have run this setup on a second server that is working well. I plan on doing two more servers by the end of the week, and if those are good, then I think we are all set.
You can only send data to an existing index. So use 'main', it will be there.
If you have disabled all inputs apart from [WinEventLog:Security] there should be no new perf-mon data coming in, but the old stuff will still be there.
Are you sure you are not seeing old events?
What is your search query?
Make sure you restart the forwarder after changing configuration.
If you have no other inputs than
[WinEventLog:Security]
index=main
disabled=0
in your c:\program files\splunk\etc\system\local\inputs.conf file on the forwarder there should be no perf-mon or CPU data coming in.
It appears there was other content missing from the inputs.conf. Here is my completed config file, which I will test on another server today.
[WinEventLog:Security]
index=default
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 1
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB
(rest of config to follow)
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 1
interval = 10000000
source = WinRegistry
sourcetype=WinRegistry
queue = winparsing
persistentQueueSize=50MB
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval = 10000000
source = ActiveDirectory
sourcetype = ActiveDirectory
disabled = 1
queue = winparsing
persistentQueueSize=50MB
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
interval = 10000000
source = PerformanceMonitor
sourcetype = PerformanceMonitor
disabled = 1
queue = winparsing
persistentQueueSize=50MB
I tried default index as well to no avail.
I found the indexes in the Splunk, manager, indexes section, and the only ones that are updating frequently are the main, _internal, and _audit indexes. I changed the inputs.conf file index= stating main, then restarting the service, stuff kept showing up for CPU, etc., so I did the same for _internal and _audit, and those also showed everything. I make sure I saved the file and restarted the service on the windows server after every change to the inputs.conf file.
could it be I used the wrong index name in the inputs.conf? I apologize as I am very green when it comes to splunk, so anything is possible. :0)
source type='sourcetype::WinEventLog:Security' (1 missing total)
What should the name of that index be ? Here are my files:
props.conf:
[WinEventLog:Security]
TRANSFORMS-winevt=winevtnull, winevtparsing
transforms.conf:
[winevtnull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue
[winevtparsing]
REGEX=(?m)^EventCode=(5157|4625|4624|7036|1102|1033)
DEST_KEY=queue
FORMAT=indexQueue
inputs.conf:
[WinEventLog:Security]
index=winevtparsing
disabled = 0
When I generated a failed login, I got the error in the local splunk stating: received event for unconfigured/disabled index='winevtparsing' with source='source::Wineventlog:security' host=host::KIM-SNIFF'
Your inputs.conf on the forwarder should contain
[WinEventLog:Security]
index=your_index
disabled = 0
and nothing else. I might have made a slight mistake in copying text from the docs. In props.conf, the stanza name should probably NOT be [WMI:WinEventLog:Security], but rather [WinEventLog:Security].
That should match the sourcetype better.
/k
still sending everything ....
it was under system\local, was set to :
host = HOSTNAME
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0 <-- changing to 1
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0<-- changing to 1
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0<-- changing to 1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
I tried this article to no avail :
http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs
You should look at the inputs.conf file on your forwarder. Actually there may several files called inputs.conf. Not 100% sure where the will be on a windows forwarder though, but probably under
c:\program files\splunk\etc\apps\search or
c:\program files\splunk\etc\apps\launcher or
c:\program files\splunk\etc\apps\MSICreated or
c:\program files\splunk\etc\system\local
Remove or comment any references to perf-mon data (or other stuff you do not want.)
oh yeah, the forwarding and receiving is working great. I even see the connection when I do a netstat -na on the reciever. Lots of data got dumped into the reciever (CPU, memory, etc.). My problem is I need to filter the data sent to the reciever. I only want windows security entries being send to the reciever.
Also, you have to install and configure a forwarder on the windows machine. See the "Getting Data in" manual in the docs.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata
Also you might want to look at the Distributed Deployment manual
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deploymentoverview
Also, you have to enable your splunk server to listen to incoming traffic, and your forwarder to send the logs to the correct host/port
/k
Here is what I added to the very bottom of my transforms file:
[wminull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue
[wmiparsing]
REGEX=(?m)^EventCode=(4616|4625|4624|4634|4647|4648|4656|4672|4673|4674|4776|4778|4779|4953|4985)
DEST_KEY=queue
FORMAT=indexQueue
All the event codes are codes I found manually going through event viewer. I restarted splunk on both the reciever and the forwarder. Any ideas ?
ahhhh, I coped the files from default into local, and then added the text to the props and transforms in the local directory. Actually, that should give us the same result, so no biggie right?
So I setup forwarding and receiving, but it is still sending all content, including CPU time, memory, etc. etc. Here is what I added to the very bottom of my props file :
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull, wmiparsing
(more in the next comment)
Never edit the files in a 'default' directory. Create new empty props/transforms.conf files and just add your configs there. At runtime the settings are merged, and a setting in a conf file in a 'default' directory will be overridden by settings in a conf file in a 'local' directory.