Getting Data In
Highlighted

WMI: filter remote Eventlogs by Host Groups

Explorer

I would like to know wether it is possible to filter remote windows eventlog based on the groups inside wmi.conf. I have a forwarder on a windows host, sending its messages to a linux box. I defined a group server and a group active directory server.

I want all Security Eventlogs from the active directory group but only "Audit fails" from the other server group. EventCode 697 should never be forwarded.

Filtering all is easy: props.conf

[wmi]
TRANSFORMS_wmi=wminull

transforms.conf:

[wminull]
REGEX = (?m)^(EventCode=697|Type=Audit Success|Type=Success Audit)
DEST_KEY = queue
FORMAT = nullQueue

Filtering should be placed on the forwarder for licensing reasons. Anyone has an idea how to to this?

Thanks in advance.

Tags (3)
0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Legend

I am not sure what you mean by a "group" in wmi.conf? You mean different stanzas? If so, they will have different names, and you can filter on wmi_type=StanzaNameWithoutWMIPrefix.

However, I wonder if you have complicated this or basically, made things a lot more difficult for yourself by creating a different stanza for the same logs. It would be a lot better to filter on the host name, or report after the fact than to have a different sourcetype/source for WinEventLog:Security logs.

Whether filtering occurs on the forwarder or the indexer has no effect on licensing. Transforms must occur where parsing occurs. (Here.) If the forwarder is a Light Forwarder, parsing occurs on the indexer, and therefore the transforms and configuration must be set on the indexer.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

I think I mean different stanzas:
[WMI:Servers]
Disabled=0
eventlogfile = Application, Security, System
interval = 5
server = hostA,hostB...
[WMI:AD]
disabled = 0
eventlogfile = DFS Replication, Directory Service, DNS Server, File Replication Service, HardwareEvents, Key Management Service, Security, System, Application
interval = 5
server = HostF, HostG...

As I habe to define the hostname in wmi.conf I thought I can use this definition soewhere else. So I need to filter by hostname but I want to define the hostname only once and not in several files.
The forwarder is not the light one.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

ugly formatted..
I´ll try the wmi_type - thank you!

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Legend

I really recommend you have a different stanza for each log type, because I am pretty sure there is nothing else in the data that would indicate which file a particular log came from.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

wmitype is set to WinEventLog:Security - no way to filter on my stanza. I would say I have different stanzas for nearly each log type. I have one stanza with three log files and another one with nine. The only thing is that I want to have _all security logs from the second stanza and only failures from the first. I think I´m confused about stanzas and possible keys in the config files.

0 Karma
Highlighted

Re: WMI: filter remote Eventlogs by Host Groups

Explorer

Finally I created two regex´ and defined the host twice..

[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue

[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue

Not very splunk, but works.

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.