Getting Data In

Remote Event Log (Windows) Filtering by EventCode not working

hughkelley
Path Finder

I know this question has been asked many times over, but I can't see how my .conf files are different than the working examples. I seem to be getting all EventCodes in my index.

Could someone please do a double-check here?

# apps/search/local/wmi.conf
#
[default]

[WMI:DC Event Logs]
disabled = 0
event_log_file =  Security
interval = 5
server = a-dc-01



# system/local/props.conf  (also tried putting this under search)
#
[source::WMI:WinEventLog:Security]
TRANSFORMS-WMISecurityLog = setWMISecurityLogRetain,setWMISecurityLogNull


# system/local/transforms.conf (also tried putting this under search)
#
[setWMISecurityLogNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setWMISecurityLogRetain]
REGEX = (?m)^EventCode=(4662|5136|5137|5138|5139|5141)\D
DEST_KEY = queue
FORMAT = indexQueue

I'm trying to limit the log entries to the IDs above but I'm getting many more EventCodes than I want.

EventCode count(EventCode)
--------- ----------------
 4662               44
 4735               38
 4768               84
 4769             2413
 4770               79
 4771               13
 4776              162
 5159             1870

Thanks in advance, Hugh

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security]
disabled = 0
blacklist=566,800-850

0 Karma

yannK
Splunk Employee
Splunk Employee

see example :
Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

0 Karma

yannK
Splunk Employee
Splunk Employee

If you want to keep only the events listed in setWMISecurityLogRetain and drop the rest, please invert the order of your transforms.


TRANSFORMS-WMISecurityLog = setWMISecurityLogNull,setWMISecurityLogRetain

BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf
[wmi] in splunk 4.1
[WMI:WinEventLog:Security] in 4.2

please try then both, or use them both if you have a mix of forwarder's versions to cover them all.

hughkelley
Path Finder

I'm still exploring this theory, but it seems like

this doesn't match the events

[source::WMI:WinEventLog:Security]

but this does (specifying sourcetype, as opposed to source).

[WMI:WinEventLog:Security]

Does that sound right?

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...