and its not working. Why?
I can tell by viewing the event in Splunk that my WMI events have the following metadata:
host=WMIHost source=WMI:WinEventLog:Security sourcetype=WMI:WinEventLog:Security
My configuration is as follows:
[WMI:WinEventLog:Security] TRANSFORMS-wminull = nullit
[nullit] REGEX=(?m)^EventCode=(592|593) DEST_KEY=queue FORMAT=nullQueue
I'm trying to route certain WMI events (that match EventCode=592 or EventCode=593) to nullQueue and my configuration is not working.
Because of the way WMI events are processed, when filtering on these you must use the [wmi] sourcetype stanza in props.conf:
[wmi] TRANSFORMS-wminull = nullit
I have it set the other way, I am only indexing certain events and sending everything else to the nul queue:
[wmi] TRANSFORMS-wmifilter = wmi-null, wmi-filter [source::wineventlog:security] TRANSFORMS-evtlog = log-null, log-filter
[wmi-null] REGEX = . DEST_KEY = queue FORMAT = nullQueue [wmi-filter] REGEX=EventCode=(560|529) DEST_KEY = queue FORMAT = indexQueue
Try swirching them round, should work
I would recommend the following minor
REGEX change. Try using
EventCode=(560|529)\D this makes sure that there are no trailing digits behind your match. For example, you don't want to match "EventCode=5291"
I which file or subfolder I have to create or edit the probs.conf and transformers.conf? In the subdirectory of the Windows App / local ?
Thanks in advice!
How does this work if your are trying to filter Windows Events, but not using WMI, but rather a Universal Forwarder?