Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

WinEventLog:Security filtering does not work

arapozo
Explorer
‎03-26-2011 01:10 PM

Even after reading the documentation and a lot of posts here on answers, I just can't get filtering to work. I've recently installed two VM to test it out.

One indexer server and one universal forwarder. The configuration is being done in the Indexer since universal forwarder according to the docs doesn't do parsing.

REGEX is set to "." to test if the filtering is working.

SPLUNK\etc\system\local\props.conf
[WinEventLog:Security]
TRANSFORMS-setnull = setnull

SPLUNK\etc\system\local\transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Isn't this configuration supposed to filter everything from WinEventLog:Security?
I get all the logs anyways.

Additional information that may be related:

http://answers.splunk.com/questions/13196/universal-forwarder-sending-cooked-data-to-indexer

Reply
1 Solution
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎04-08-2011 08:03 PM

You have run into a known issue (SPL-38443) with the 4.2 Lightweight and Universal Forwarder.

The Windows 4.2 lightweight and universal forwarder parses WinEventLog datastreams on the forwarder, preventing all parsing control on the indexer.

The symptoms of this are: no filtering nor routing to the nullqueue based on props and transforms. WinEventLog data is bypassing props.conf and transforms.conf on the indexer.

The workaround would be to use a 4.2 full/regular forwarder or 4.1.x lightweight forwarder but this will be fixed for 4.2.1

http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues

View solution in original post

Reply
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎04-08-2011 08:03 PM

You have run into a known issue (SPL-38443) with the 4.2 Lightweight and Universal Forwarder.

The Windows 4.2 lightweight and universal forwarder parses WinEventLog datastreams on the forwarder, preventing all parsing control on the indexer.

The symptoms of this are: no filtering nor routing to the nullqueue based on props and transforms. WinEventLog data is bypassing props.conf and transforms.conf on the indexer.

The workaround would be to use a 4.2 full/regular forwarder or 4.1.x lightweight forwarder but this will be fixed for 4.2.1

http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-08-2011 12:26 PM

Hi Ellen,
is this really solved in 4.2.1 universal forwarder? I just ran into exactly this problem, that I was unable to redirect WinEventLog events no matter what transform I used. Only way to get them into different indexes was to set the index in inputs.conf on the 4.2.1 universal forwarder.

best regards, MuS

0 Karma
Reply
Solved! Jump to solution

arapozo
Explorer
‎03-28-2011 11:08 PM

I just installed the forwarder and only selected the security log in the wizard, nothing else.

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎03-28-2011 10:13 PM

What does the input on the Universal Forwarder use to get data from the event logs?

0 Karma
Reply
Solved! Jump to solution

arapozo
Explorer
‎03-27-2011 12:20 AM

I'm not using WMI to collect events, the source is always a universal forwarder.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...