Hello, I try to modify the behaviour of a forwarder installed on a Windows server. I would like to prevent the forwarder from sending WINDOWS events EventType=4
I have tried everything but still doesn't work, all EventTypes (1, 2,3, 4) are still forwarded
Thanks for your help
My props.conf is :
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminullEvents
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminullEvents
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminullEvents
Transforms.conf is :
[wminullEvents]
REGEX=(?msi)^EventType=(4)
DEST_KEY=queue
FORMAT=nullQueue
I have found the cause, the default setup doesn't forward anything I have enabled sources in the manageR Now the events are forwarded by the heavy forwarder but the filtering doesn't work, everything is forwarded.
I have installed the heavy forwarder but it doesn't forward any event.
I didn't configure props.conf and transforms.conf yet.
The process splunkd is running and config file outputs.conf seems correct.
Is there a logfile I can check to understand what happens ?
Thanks
A Universal Forwarder cannot do filtering based on the event content, you need a Heavy Forwarder for that.
Splunk Universal Forwarder 5.0.2 (build 149561)
Run this:
$SPLUNK_HOME/bin/splunk version
No I don't think so. I'm not sure but I think it is light forwarder. How can I recognize a heavy or light forwarder?
Is this on a heavy forwarder?