Getting Data In

What is the best way to filter WMI Event Logs by type without just whitelisting or blacklisting?

New Member

Current Splunk Enterprise Server Version: 6.2.1

Current Splunk Test Server Version: 6.5.0

Question: What is the proper way to filter windows log events that only deal with being type/level: Warning, Error, or Failure Audit for Application, Security, and System (I guess Failure Audit for security only), without simply filtering by eventcodes with white/blacklisting?

inputs.conf

[default]
host = SplunkMachine

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information" 
blacklist1 = Type="^2Failure Audit" 
blacklist2 = Type="^3Success Audit"

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"

transforms.conf

[wminull]
REGEX=(?m)^Level=(1|2|5)
DEST_KEY=queue
FORMAT=nullQueue

props.conf

########## FILE MATCH CONDITIONS ##########
[source::...\\var\\log\\anaconda.syslog(.\d+)?]
sourcetype = anaconda_syslog

[source::...\\var\\log\\anaconda.log(.\d+)?]
sourcetype = anaconda 

[source::...\\var\\log\\httpd\\error_log(.\d+)?]
sourcetype = apache_error 

[source::...\\var\\log\\cups\\access_log(.\d+)?]
.
.
.
[WinEventLog:Application]
TRANSFORMS-wmi=wminull

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

[WinEventLog:System]
TRANSFORMS-wmi=wminull


####### NON-LOG FILES

So I've tried a few combinations of just modifying the transforms.conf and inputs.conf and just props.conf. So far, my attempts have limited the amount of events that are indexed in Splunk, however according to documentation I should only modify the props and transform.conf. I suspect I'm missing some Regex remarks.

0 Karma

SplunkTrust
SplunkTrust

The whitelist/blacklist syntax is slightly different:

whitelist1 = Type=%^Error$%
whitelist2 = Type=%^Warning$%
...

Then you won't need any props/transforms nullqueue filtering at all.

0 Karma

SplunkTrust
SplunkTrust

Your syntax is off again:

whitelist = Type=%^[1-2]$%
0 Karma

New Member

With the change, still indexing events that are the Information type.

0 Karma

SplunkTrust
SplunkTrust

Before you do, decide on a blacklist or a whitelist, not both.

0 Karma

New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"

Still includes things other than what is whitelisted

0 Karma

SplunkTrust
SplunkTrust

The whitelist is enough, no need for a blacklist to state the same thing again.

Did you restart splunk and are only looking at data coming in after the restart?

0 Karma

New Member

I have restarted Splunk. It did index, but it still contained Information events. I am actually disabling the data input. Deleting the index. Modifying the config. Restart Splunk. Create the new Index and enable the data input with the appropriate index.

0 Karma

New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type=%^Error$%
whitelist1 = Type=%^Warning$%
blacklist = Type=%^Information$%

This is what it I have changed it to following your answer. However, Application still seems to show information logs.

0 Karma

New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
blacklist = Type="^[3]$"

Found out that Type is actually a numerical value. So I changed it to this. Now zero events are being index, so I must have something working, just syntax is wrong

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!