I would like to know wether it is possible to filter remote windows eventlog based on the groups inside wmi.conf. I have a forwarder on a windows host, sending its messages to a linux box. I defined a group server and a group active directory server.
I want all Security Eventlogs from the active directory group but only "Audit fails" from the other server group. EventCode 697 should never be forwarded.
Filtering all is easy: props.conf
[wmi]
TRANSFORMS_wmi=wminull
transforms.conf:
[wminull]
REGEX = (?m)^(EventCode=697|Type=Audit Success|Type=Success Audit)
DEST_KEY = queue
FORMAT = nullQueue
Filtering should be placed on the forwarder for licensing reasons. Anyone has an idea how to to this?
Thanks in advance.
Finally I created two regex´ and defined the host twice..
[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue
[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue
Not very splunk, but works.
Finally I created two regex´ and defined the host twice..
[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue
[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue
Not very splunk, but works.
I am not sure what you mean by a "group" in wmi.conf? You mean different stanzas? If so, they will have different names, and you can filter on wmi_type=StanzaNameWithoutWMIPrefix
.
However, I wonder if you have complicated this or basically, made things a lot more difficult for yourself by creating a different stanza for the same logs. It would be a lot better to filter on the host name, or report after the fact than to have a different sourcetype/source for WinEventLog:Security logs.
Whether filtering occurs on the forwarder or the indexer has no effect on licensing. Transforms must occur where parsing occurs. (Here.) If the forwarder is a Light Forwarder, parsing occurs on the indexer, and therefore the transforms and configuration must be set on the indexer.
wmi_type is set to WinEventLog:Security - no way to filter on my stanza. I would say I have different stanzas for nearly each log type. I have one stanza with three log files and another one with nine. The only thing is that I want to have all security logs from the second stanza and only failures from the first. I think I´m confused about stanzas and possible keys in the config files.
I really recommend you have a different stanza for each log type, because I am pretty sure there is nothing else in the data that would indicate which file a particular log came from.
ugly formatted..
I´ll try the wmi_type - thank you!
I think I mean different stanzas:
[WMI:Servers]
Disabled=0
event_log_file = Application, Security, System
interval = 5
server = hostA,hostB...
[WMI:AD]
disabled = 0
event_log_file = DFS Replication, Directory Service, DNS Server, File Replication Service, HardwareEvents, Key Management Service, Security, System, Application
interval = 5
server = HostF, HostG...
As I habe to define the hostname in wmi.conf I thought I can use this definition soewhere else. So I need to filter by hostname but I want to define the hostname only once and not in several files.
The forwarder is not the light one.