Re: WinEvent Filtering on Heavy Forwarder

stockwel · ‎07-19-2010

Hi, Trying to send all eventIDs from WinEventLog:Security to NullQueue with the exception of 592 and 593. Still getting all security events indexed :< props.conf and transforms.conf, located in Splunk\etc\system\local on the forwarder are as follows:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?m)^EventCode=(592|593)
DEST_KEY = queue
FORMAT = indexQueue

Thanks, Andie

maverick · ‎11-16-2010

Take a look at this answer regarding whitelisting specific event codes to be forwarded.

http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev...

BunnyHop · ‎08-18-2010

Try (?msi) instead of just (?m)

Paolo_Prigione · ‎07-20-2010

Hi, a couple things.

1) If you use a LightWeightForwarder, you might have to put those configurations on the indexer too.

2) Windows Security event logs have white spaces before "EventCode", so binding your regex to the start of the line should not work.

REGEX = (?m)EventCode=(592|593)

You could also do the same job with a simpler configuration, though:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=dropevents

transforms.conf

[dropevents]
REGEX = (?m)EventCode=(?!592|593)
DEST_KEY = queue
FORMAT = nullQueue

This regex means "discard everything that has EventCode different from either 592 or 593"

Paolo_Prigione · ‎07-20-2010

ops, sorry for the inconvenience: point 1) can be discarded as the forwarder type was inherent in the question's title

WinEvent Filtering on Heavy Forwarder

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!