Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog:Security HeavyForwarder (filter and send to indexer)

Gilgalidd
Path Finder
‎01-17-2014 07:19 AM

Hello,

I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :

UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events) > Indexer v6.0 (just index)

UF : Basic install with only Security logs configured to be send

HF : Listen on and forward only

**Props.conf :** 
[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza

**Transforms.conf**
[winEvents_stanza]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=winEvents_group


**outputs.conf**
[tcpout]
defaultGroup=defaultGroup

[tcpout:defaultGroup]

[tcpout:winEvents_group]
server = X.X.X.X:xxxx
sendCookedData = 0

Indexer : index received data

If i don't configure the HF (props/transforms/outpouts) the Inderxer receive all Security logs but when I try to only filter on "WinEventLog:Security", the indexer will not receive the security logs.

Is HF able to understand the sourcetype WinEventLog:Security ?

Any Idea ?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-21-2014 10:43 AM

if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-21-2014 10:43 AM

if you have old Win2003 servers, double check that the sourcetype is not WinEventLog:security (with lower case).

0 Karma
Reply
Solved! Jump to solution

Gilgalidd
Path Finder
‎01-22-2014 11:23 PM

Oh we can do that ! Nice, maybe i will do change for it.

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-22-2014 09:12 AM

It works.
Othewise for WinEventLog only, another option is to create 2 version of the stanza in props.conf

[WinEventLog:Security]
TRANSFORMS-routing=winEvents_stanza
[WinEventLog:security]
TRANSFORMS-routing=winEvents_stanza

Reply
Solved! Jump to solution

Gilgalidd
Path Finder
‎01-22-2014 02:28 AM

Hi,

Thanks for your reply, finally I've change my configuration for : [host::*] and in my transforms.conf I keep only the needed events.

In fact I've old Win03 but I have win08R2 on the same environement and i need to catch both events.

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...