and its not working. Why?
I can tell by viewing the event in Splunk that my WMI events have the following metadata:
host=WMIHost source=WMI:WinEventLog:Security sourcetype=WMI:WinEventLog:Security
My configuration is as follows:
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wminull = nullit
transforms.conf:
[nullit]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue
I'm trying to route certain WMI events (that match EventCode=592 or EventCode=593) to nullQueue and my configuration is not working.
Because of the way WMI events are processed, when filtering on these you must use the [wmi] sourcetype stanza in props.conf:
[wmi]
TRANSFORMS-wminull = nullit
How does this work if your are trying to filter Windows Events, but not using WMI, but rather a Universal Forwarder?
Thanks,
-Matt
I which file or subfolder I have to create or edit the probs.conf and transformers.conf? In the subdirectory of the Windows App / local ?
Thanks in advice!
I have it set the other way, I am only indexing certain events and sending everything else to the nul queue:
props.conf
[wmi]
TRANSFORMS-wmifilter = wmi-null, wmi-filter
[source::wineventlog:security]
TRANSFORMS-evtlog = log-null, log-filter
transforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX=EventCode=(560|529)
DEST_KEY = queue
FORMAT = indexQueue
Try swirching them round, should work
I would recommend the following minor REGEX
change. Try using EventCode=(560|529)\D
this makes sure that there are no trailing digits behind your match. For example, you don't want to match "EventCode=5291"
Because of the way WMI events are processed, when filtering on these you must use the [wmi] sourcetype stanza in props.conf:
[wmi]
TRANSFORMS-wminull = nullit