Hello,
We are trying to cut the message field out of all of the Windows Security Logs coming from our domain controllers. I have tried looking though some of the other answer posts and I have tried using this article where you put
[WinEventLog:Security]
disabled = 0
suppress_text = 1
However I am not sure exactly what that references to remove data from the log. I know older answers said you could use a regex on the props.conf and transforms.conf file but I wasn't sure if that was still the best way for Splunk 6.
All that said to really say could anyone help with removing the Message text from Windows Security Logs. Thanks in advance!
According to <splunk_home>\etc\system\README\inputs.conf.spec
as below, the change you mention should remove the event description/text as you are trying to do:
[WinEventLog://<name>]
suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given
Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.
So your inputs.conf entry should look like:
[WinEventLog://Security]
disabled = 0
suppress_text = 1
This is what you have tried right?
If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin
folder:
splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.
By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.
Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.
According to <splunk_home>\etc\system\README\inputs.conf.spec
as below, the change you mention should remove the event description/text as you are trying to do:
[WinEventLog://<name>]
suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given
Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.
So your inputs.conf entry should look like:
[WinEventLog://Security]
disabled = 0
suppress_text = 1
This is what you have tried right?
If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin
folder:
splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.
By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.
Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.
No worries glad to have helped.
Thank you. The issue was we had not put the entry in the correct inputs.conf file.
Thank you for the help it was easy to spot with that command.
The quoted text was added to the inputs.conf file. Sorry didn't say that in the original.