Getting Data In

Is there way to configure the inputs to use the source to find, then set the sourcetype and index when changing sourcetype of Windows Forwarded Events?

adalbor
Builder

Hey all,

I am looking to change the sourcetype of events originating from the source = WinEventLog:Microsoft-Windows-Windows Defender/Operational logs that are coming in through the Forwarded Events log on one of our WEC's thats collected via UF.

I want to send them to their own index and have that unique sourcetype so I can use it with the TA-microsoft-windefender.

Is there way to configure the inputs to use the source to find then set the sourcetype and index?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @adalbor,

From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf : [WinEventLog://<name>]

And simply add the index name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.

Let me know if this works out for you.

Cheers,
David

View solution in original post

0 Karma

adalbor
Builder

This is what I have so far, trying to test if it will work.

props.conf
[source::WinEventLog:Microsoft-Windows-Windows Defender/Operational]
TRANSFORMS-windef = win_defender_sourcetype,win_defender_index

transforms.conf
[win_defender_sourcetype]
REGEX = *
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::windows:defender

[win_defender_index]
REGEX = *
DEST_KEY = _MetaData:Index
FORMAT = ms_def

Have it on HF's and IDX's

0 Karma

adalbor
Builder

The above didn't work and I tried changing the wildcard to a period and still nothing.

Anyone have any recommendations to make this work?

0 Karma

DavidHourani
Super Champion

Hi @adalbor,

From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf : [WinEventLog://<name>]

And simply add the index name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.

Let me know if this works out for you.

Cheers,
David

0 Karma

adalbor
Builder

Hey David,
I have the index specified for the monitoring stanza already.

I have Windows Security/System/WinDefender/Bitlocker events all going to the Forwarded Events on a WEC.

I was looking for a way to break out my WinDefender and Bitlocker events from that monitoring stanza by sourcetype and also put them in their own index.

The WEC that is collecting these events doesnt have WinDefender or Bitlocker installed so their respective log locations dont exist.

Thanks
Andrew

0 Karma

DavidHourani
Super Champion

In that case since the data is already mixed up, the only way to split the results is to route it to a different index on the indexing layer, nothing to be done on the UF layer for Splitting it out :
https://answers.splunk.com/answers/50761/how-do-i-route-data-to-specific-index-based-on-a-field.html

adalbor
Builder

Thank you!

DavidHourani
Super Champion

Most welcome @adalbor, let me know if you need anything else and please accept the answer and upvote if it was helpful!

bryceweb22
Path Finder

If your data has already been indexed there is not way to change the source type. You would need to delete it and reindex. Try this

https://answers.splunk.com/answers/1487/some-of-my-data-does-not-have-the-correct-sourcetype-can-i-c...

0 Karma

adalbor
Builder

Thanks for the input..not trying to re-index data though

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi adalbor,
see https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Advancedsourcetypeoverrides
Anyway, try something like this:

[your_original_sourcetype]
REGEX = <your_regex>
FORMAT = sourcetype::<your_custom_sourcetype_value>
DEST_KEY = MetaData:Sourcetype

but remember that using the original TA_Windows you already have all the fields correctly defined, instead if you override it, you have to redefine all of them.
Bye.
Giuseppe

adalbor
Builder

Is there a way to also send it to a unique index?

0 Karma

adalbor
Builder

Thank you! Will give this a shot.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...