Getting Data In
Highlighted

Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

New Member

Having issues with routing data to a 3rd party and then dropping the events from being indexed. The Windows event is being sent to the 3rd party but also is being indexed. I currently have a case open with support but wanted to ask the question to see if anyone has dealt with the issue before.

-bash-4.2$ more props.conf
[source::WinEventLog:Security]
TRANSFORMS-pta = ptasyslogfilter

[WinEventLog:Security]
TRANSFORMS-eventcodes = badevents

-bash-4.2$ more transforms.conf

Send eventcode 4624 to 3rd party

[ptasyslogfilter]
REGEX = .EventCode=4624.
DESTKEY =SYSLOGROUTING
FORMAT = pta
syslog

Windows events to drop. If I add 4624 below, the events are not sent to 3rd party.
[badevents]
REGEX=(?m)EventCode=(4634|560|562|5156|4689|4648|4662|4769|5061|5058)
DEST_KEY=queue
FORMAT=nullQueue

-bash-4.2$ more outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[syslog:pta_syslog]
server = 3rdPartyHostIP:11514
sendCookedData = false
type=udp
timestampformat = %s

Splunk indexers
[tcpout:default-autolb-group]
server = indexer1:9997, indexer2:9997
autoLB = true

0 Karma
Highlighted

Re: Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

Super Champion

You are very close. All You need is just to put the transforms in sequence and then you can add 4624 also to your badevents

[WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter, badevents

Please note; I'ven't verified your REGEX is correct or NOT. I was just saying the approach only.

0 Karma
Highlighted

Re: Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

New Member

Thanks for the suggestion but unfortunately I am getting the same result after making the changes. EventCode 4624 is still being indexed. Any other thoughts of what it could be?

-bash-4.2$ more props.conf
[source::WinEventLog:Security]
TRANSFORMS-pta = ptasyslogfilter, badevents

-bash-4.2$ more transforms.conf
[ptasyslogfilter]
REGEX = .EventCode=4624.
DESTKEY =SYSLOGROUTING
FORMAT = pta
syslog

[badevents]
REGEX=(?m)EventCode=(4634|560|562|5156|4689|4648|4662|4769|5061|5058)
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Highlighted

Re: Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

Super Champion

that's coz you haven't put 4624 in your REGEX
Try..

[badevents]
REGEX=(?m)EventCode=(4624|4634|560|562|5156|4689|4648|4662|4769|5061|5058)
DEST_KEY=queue
FORMAT=nullQueue
0 Karma
Highlighted

Re: Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

New Member

When I add 4624 to my REGEX, the events are not sent to the 3rd party. Is there a way to send 4624 events on the HF and then drop the events when they get to the indexers?

0 Karma
Highlighted

Re: Using Heavy Forwarded to Send Subset of Data to 3rd Party and Not Index

Super Champion

if you put the props.conf stanza with pta_syslog_filter first, surely it will send to 3rd party and then ONLY action the badevents. You may need to playaround with

[source::WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter, badevents

transforms.conf

[pta_syslog_filter]
REGEX = .*EventCode=4624.*
DEST_KEY =_SYSLOG_ROUTING
FORMAT = pta_syslog

[badevents]
REGEX=(?m)EventCode=(4624|4634|560|562|5156|4689|4648|4662|4769|5061|5058)
DEST_KEY=queue
FORMAT=nullQueue

Also you need to have stanza in outputs.conf

[syslog: pta_syslog]
server = loghost.example.com:514

to send it

0 Karma