Getting Data In
Highlighted

WMI: filter remote Eventlogs by Host Groups

Explorer

I would like to know wether it is possible to filter remote windows eventlog based on the groups inside wmi.conf. I have a forwarder on a windows host, sending its messages to a linux box. I defined a group server and a group active directory server.

I want all Security Eventlogs from the active directory group but only "Audit fails" from the other server group. EventCode 697 should never be forwarded.

Filtering all is easy: props.conf

[wmi]
TRANSFORMS_wmi=wminull

transforms.conf:

[wminull]
REGEX = (?m)^(EventCode=697|Type=Audit Success|Type=Success Audit)
DEST_KEY = queue
FORMAT = nullQueue

Filtering should be placed on the forwarder for licensing reasons. Anyone has an idea how to to this?

Thanks in advance.

Tags (3)
0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Splunk Employee
Splunk Employee

I am not sure what you mean by a "group" in wmi.conf? You mean different stanzas? If so, they will have different names, and you can filter on wmi_type=StanzaNameWithoutWMIPrefix.

However, I wonder if you have complicated this or basically, made things a lot more difficult for yourself by creating a different stanza for the same logs. It would be a lot better to filter on the host name, or report after the fact than to have a different sourcetype/source for WinEventLog:Security logs.

Whether filtering occurs on the forwarder or the indexer has no effect on licensing. Transforms must occur where parsing occurs. (Here.) If the forwarder is a Light Forwarder, parsing occurs on the indexer, and therefore the transforms and configuration must be set on the indexer.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

I think I mean different stanzas:
[WMI:Servers]
Disabled=0
eventlogfile = Application, Security, System
interval = 5
server = hostA,hostB...
[WMI:AD]
disabled = 0
eventlogfile = DFS Replication, Directory Service, DNS Server, File Replication Service, HardwareEvents, Key Management Service, Security, System, Application
interval = 5
server = HostF, HostG...

As I habe to define the hostname in wmi.conf I thought I can use this definition soewhere else. So I need to filter by hostname but I want to define the hostname only once and not in several files.
The forwarder is not the light one.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

ugly formatted..
I´ll try the wmi_type - thank you!

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Splunk Employee
Splunk Employee

I really recommend you have a different stanza for each log type, because I am pretty sure there is nothing else in the data that would indicate which file a particular log came from.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

wmitype is set to WinEventLog:Security - no way to filter on my stanza. I would say I have different stanzas for nearly each log type. I have one stanza with three log files and another one with nine. The only thing is that I want to have _all security logs from the second stanza and only failures from the first. I think I´m confused about stanzas and possible keys in the config files.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

Finally I created two regex´ and defined the host twice..

[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue

[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue

Not very splunk, but works.

View solution in original post

0 Karma