I have searched Splunk answers and official documentation for the last three days, but for the life of me can't get the result I'm after.
What I want is to collect Logon and Logoff events (be they success or failure) and discard all the rest. I found a few questions on this subject, but none of the solutions worked in my situation.
I set up a single Splunk server to collect Security Event logs from circa 200 Windows computers, all joined to a domain, using WMI. I know that best practice tells to use Universal Forwarder, but I'm trying to avoid it for different reasons, the first being the limited resources of our clients and less administrative effort of a per-client installation.
The problem is that I can't manage to filter the inputs and index only the desired events, with the results that just a fraction of the clients easily fill the 500MB daily quota limit.
This is the configuration I came up so far, implemented in the Splunk server, not working as far as I can tell:
...\Splunk\etc\system\local\\props.conf [WinEventLog:Security] TRANSFORMS-wmi=wminull,wmiparsing ...\Splunk\etc\system\local\\transforms.conf [wminull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [wmiparsing] REGEX = (?m)^EventCode=(538|540|672|673|861) DEST_KEY = queue FORMAT = indexQueue
Note: I made a couple of tries also with wmi.conf and inputs.conf, but for what I gather these configuration files are not relevant to my configuration (single server and no forwarders at all).
Any help troubleshooting this issue would be very welcome.
If you're sure that the sourcetype in
props.conf matches at 100% try to use another TRANSFORMS class, like this:
It could be, that the TRANSFORMS class you did specify (
wmi ) is not unique. The TRANSFORMS class must be unique - extract from docs:
TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,... * <class> is a unique literal string that identifies the namespace of the field you're extracting. **Note:** <class> values do not have to follow field name syntax restrictions. You can use characters other than a-z, A-Z, and 0-9, and spaces are allowed. <class> values are not subject to key cleaning.
hope this helps ...
Hi MuS, thanks for your feedback.
Unfortunately, even after changing the name to "TRANSFORMS-filter", and performed a splunk stop-clean-start, I still see all Security event data being indexed.
The filter is not working!
Just a guess: could "inputs.conf" help in this case? I seem to remember that I made a try, without success obviously.