Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

WinEvent Filtering on Heavy Forwarder

stockwel
Engager
‎07-19-2010 08:36 PM

Hi, Trying to send all eventIDs from WinEventLog:Security to NullQueue with the exception of 592 and 593. Still getting all security events indexed :< props.conf and transforms.conf, located in Splunk\etc\system\local on the forwarder are as follows:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?m)^EventCode=(592|593)
DEST_KEY = queue
FORMAT = indexQueue

Thanks, Andie

Tags (1)
Reply

maverick
Splunk Employee
Splunk Employee
‎11-16-2010 11:14 PM

Take a look at this answer regarding whitelisting specific event codes to be forwarded.

http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev...

Reply

BunnyHop
Contributor
‎08-18-2010 05:51 PM

Try (?msi) instead of just (?m)

0 Karma
Reply

Paolo_Prigione
Builder
‎07-20-2010 02:01 PM

Hi, a couple things.

1) If you use a LightWeightForwarder, you might have to put those configurations on the indexer too.

2) Windows Security event logs have white spaces before "EventCode", so binding your regex to the start of the line should not work. 

REGEX = (?m)EventCode=(592|593)

You could also do the same job with a simpler configuration, though:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=dropevents

transforms.conf

[dropevents]
REGEX = (?m)EventCode=(?!592|593)
DEST_KEY = queue
FORMAT = nullQueue

This regex means "discard everything that has EventCode different from either 592 or 593"

0 Karma
Reply

Paolo_Prigione
Builder
‎07-20-2010 02:15 PM

ops, sorry for the inconvenience: point 1) can be discarded as the forwarder type was inherent in the question's title

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...