Getting Data In
Highlighted

Windows Event Forwarding custom channels, renaming sources, adding metadata

New Member

We have a custom Windows Event Forwarding deployment, with specific channels (i.e. not all goes to ForwardedEvents).
FWD/Application, FWD/System, and so on.

We use Splunkforwarder (7.2.1) to get this all into splunk. It reads the sources just fine, with source::WinEventLog:FWD-name of channel.

Windows TA (5.0) is not very fond of this, as it searches for source::WinEventLog:Security or a known, standard channel name.

No matter, override [source::WinEventLog:FWD-Security] for example, and apply there the transforms (custom app to override this goes in forwarder, indexers and search head). This works just fine. All transforms are applied.

Since we like to have the host as the source machine, we add a meta field, wec_host, for troubleshooting purposes.

[set-wef-forwarding-host]
REGEX = (?m)host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = wec_host::$1
WRITE_META = true

Works like a charm. Then, we want to apply another transform to add the original channel it was received from to the metadata, which is present in the source:

[set-wef-channel]
REGEX = WinEventLog:(.*)
SOURCE_KEY = MetaData:Source
FORMAT = wef_channel::$1
WRITE_META = true

After that, we apply the usual transforms from Windows TA to fix the source and sourcetype:

[source::WinEventLog:FWD-Security]
TRANSFORMS-t1-add_forwarder_for_wef = set-wef-forwarding-host
**TRANSFORMS-t2-add_channel_for_wef = set-wef-channel**
TRANSFORMS-t3-change_xml_host_for_windows_wef = WinEventXmlHostOverride
TRANSFORMS-t4-fix_source_and_sourcetype = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

Taking into account top to bottom, and precedence, checking with btool, it appears the transforms should be applying in the right order, but by the time the set-wef-channel transform hits, the MetaData:Source no longer contains WinEventLog:FWD-Security and is empty as the regex doesn't match.

What are we missing?

Thanks in advance.

0 Karma
Highlighted

Re: Windows Event Forwarding custom channels, renaming sources, adding metadata

Communicator

We use

[source:WinEventLog:Security]
TRANSFORMS-classname = Transforms_stanza

and it works for Security fine.

We have the problem at Windows Event Collector:

[source:WinEventLog:WEC/Channel1]
TRANSFORMS-classname = ....

We try

source::../Channel1
or
source::...//Channel1 OR source::..WEC/Channel1 OR source::...\Channel1 OR  source::...Channel1

but no solution! 😞

Some Ideas?

0 Karma
Highlighted

Re: Windows Event Forwarding custom channels, renaming sources, adding metadata

New Member

Use a dash instead of a backslash:
e.g. [source::WinEventLog:WEC-Channel1] instead of [source:WinEventLog:WEC/Channel1]

0 Karma
Highlighted

Re: Windows Event Forwarding custom channels, renaming sources, adding metadata

Communicator

The dash doesn't help 😞

0 Karma
Highlighted

Re: Windows Event Forwarding custom channels, renaming sources, adding metadata

New Member

Yikes, sorry, I fat fingered that one:

This should work in your inputs.conf:
[WinEventLog://WEC-Security]

Then you would refer to it in props.conf as:
[source::WinEventLog:WEC-Security]

At this stage you can manipulate the source and sourcetype with the standard windows TA transforms if you so choose.

0 Karma