Getting Data In
Highlighted

Try to route certain WMI events to nullQueue

Champion

and its not working. Why?

I can tell by viewing the event in Splunk that my WMI events have the following metadata:

host=WMIHost source=WMI:WinEventLog:Security sourcetype=WMI:WinEventLog:Security

My configuration is as follows:

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-wminull = nullit

transforms.conf:

[nullit]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue

I'm trying to route certain WMI events (that match EventCode=592 or EventCode=593) to nullQueue and my configuration is not working.

Highlighted

Re: Try to route certain WMI events to nullQueue

Champion

Because of the way WMI events are processed, when filtering on these you must use the [wmi] sourcetype stanza in props.conf:

[wmi]
TRANSFORMS-wminull = nullit

View solution in original post

Highlighted

Re: Try to route certain WMI events to nullQueue

New Member

I have it set the other way, I am only indexing certain events and sending everything else to the nul queue:

props.conf

[wmi]
TRANSFORMS-wmifilter = wmi-null, wmi-filter

[source::wineventlog:security]
TRANSFORMS-evtlog = log-null, log-filter

transforms.conf

[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmi-filter]
REGEX=EventCode=(560|529)
DEST_KEY = queue
FORMAT = indexQueue

Try swirching them round, should work

0 Karma
Highlighted

Re: Try to route certain WMI events to nullQueue

Super Champion

I would recommend the following minor REGEX change. Try using EventCode=(560|529)\D this makes sure that there are no trailing digits behind your match. For example, you don't want to match "EventCode=5291"

0 Karma
Highlighted

Re: Try to route certain WMI events to nullQueue

Explorer

I which file or subfolder I have to create or edit the probs.conf and transformers.conf? In the subdirectory of the Windows App / local ?

Thanks in advice!

0 Karma
Highlighted

Re: Try to route certain WMI events to nullQueue

New Member

How does this work if your are trying to filter Windows Events, but not using WMI, but rather a Universal Forwarder?

Thanks,
-Matt

0 Karma