Getting Data In
Highlighted

WinEventLog:Security HeavyForwarder (filter and send to indexer)

Path Finder

Hello,

I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :

UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events) > Indexer v6.0 (just index)

UF : Basic install with only Security logs configured to be send

HF : Listen on and forward only

**Props.conf :** 
[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza

**Transforms.conf**
[winEvents_stanza]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=winEvents_group


**outputs.conf**
[tcpout]
defaultGroup=defaultGroup

[tcpout:defaultGroup]

[tcpout:winEvents_group]
server = X.X.X.X:xxxx
sendCookedData = 0

Indexer : index received data

If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.

Is HF able to understand the sourcetype WinEventLog:Security ?

Any Idea ?

Thanks.

0 Karma
Highlighted

Re: WinEventLog:Security HeavyForwarder (filter and send to indexer)

Splunk Employee
Splunk Employee

if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).

View solution in original post

0 Karma
Highlighted

Re: WinEventLog:Security HeavyForwarder (filter and send to indexer)

Path Finder

Hi,

Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.

In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.

0 Karma
Highlighted

Re: WinEventLog:Security HeavyForwarder (filter and send to indexer)

Splunk Employee
Splunk Employee

It works.
Othewise for WinEventLog only, another option is to create 2 version of the stanza in props.conf

[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza
[WinEventLog:security]
TRANSFORMS-routing=winEvents_stanza

Highlighted

Re: WinEventLog:Security HeavyForwarder (filter and send to indexer)

Path Finder

Oh we can do that ! Nice, maybe i will do change for it.

Thanks for your help.

0 Karma