I would like to know wether it is possible to filter remote windows eventlog based on the groups inside wmi.conf. I have a forwarder on a windows host, sending its messages to a linux box. I defined a group server and a group active directory server.
I want all Security Eventlogs from the active directory group but only "Audit fails" from the other server group. EventCode 697 should never be forwarded.
Filtering all is easy: props.conf
[wminull] REGEX = (?m)^(EventCode=697|Type=Audit Success|Type=Success Audit) DEST_KEY = queue FORMAT = nullQueue
Filtering should be placed on the forwarder for licensing reasons. Anyone has an idea how to to this?
Thanks in advance.
I am not sure what you mean by a "group" in wmi.conf? You mean different stanzas? If so, they will have different names, and you can filter on
However, I wonder if you have complicated this or basically, made things a lot more difficult for yourself by creating a different stanza for the same logs. It would be a lot better to filter on the host name, or report after the fact than to have a different sourcetype/source for WinEventLog:Security logs.
Whether filtering occurs on the forwarder or the indexer has no effect on licensing. Transforms must occur where parsing occurs. (Here.) If the forwarder is a Light Forwarder, parsing occurs on the indexer, and therefore the transforms and configuration must be set on the indexer.
I think I mean different stanzas:
eventlogfile = Application, Security, System
interval = 5
server = hostA,hostB...
disabled = 0
eventlogfile = DFS Replication, Directory Service, DNS Server, File Replication Service, HardwareEvents, Key Management Service, Security, System, Application
interval = 5
server = HostF, HostG...
As I habe to define the hostname in wmi.conf I thought I can use this definition soewhere else. So I need to filter by hostname but I want to define the hostname only once and not in several files.
The forwarder is not the light one.
I really recommend you have a different stanza for each log type, because I am pretty sure there is nothing else in the data that would indicate which file a particular log came from.
wmitype is set to WinEventLog:Security - no way to filter on my stanza. I would say I have different stanzas for nearly each log type. I have one stanza with three log files and another one with nine. The only thing is that I want to have _all security logs from the second stanza and only failures from the first. I think I´m confused about stanzas and possible keys in the config files.
Finally I created two regex´ and defined the host twice..
[wmi_non_ad_697_lf] REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich) DEST_KEY = queue FORMAT = nullQueue [wmi_ad_697_lf] # Alle AD Server mit EventCode 697 fliegen raus REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697) DEST_KEY = queue FORMAT = nullQueue
Not very splunk, but works.