Hi,
I'm trying to filter certain Windows event IDs which need to be sent to Indexer and the rest to be dropped.
My Props.conf looks as below:
[WinEventLog:Security]
TRANSFORMS-security = adlog, dropadlog
And my transforms.conf looks as below:
[dropadlog]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[adlog]
REGEX = (?msi)^EventCode=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
DEST_KEY = queue
FORMAT = indexQueue
On querying through search head, I don't see any events coming through the HF.
Rather I see events from other hosts that are configured to directly send events to Indexers
Could someone help me understand what's going wrong with HF configuration?
My inputs.conf is below:
[default]
host = Hostname of HF
[splunktcp://9997]
disabled = false
And Outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://Indexer1:9997]
[tcpout-server://Indexer2:9997]
[tcpout:default-autolb-group]
disabled = false
server = Indexer1:9997,Indexer2:9997,Indexer3:9997
[tcpout-server://Indexer3:9997]
Hi @sansme,
at first sight, I see two errors:
in props.con, the sort of commands is important, you have to put at first the one with "REGEX = .", in other words:
TRANSFORMS-security = dropadlog, adlog
Then I'm not sure that the regex in adlog is correct:
at first "=" is a special char so you have to escape it (|=);
then you used "^" that means that you want to index multiline events that starts with EventCode and I think that EventCode=... if always after in windows logs not in the beginning!
In other words, try this regex
REGEX = (?ms)EventCode\=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
Only one last question, why don't you filter events in inputs.conf whitelists?
Ciao.
Giuseppe
Hi @sansme,
at first sight, I see two errors:
in props.con, the sort of commands is important, you have to put at first the one with "REGEX = .", in other words:
TRANSFORMS-security = dropadlog, adlog
Then I'm not sure that the regex in adlog is correct:
at first "=" is a special char so you have to escape it (|=);
then you used "^" that means that you want to index multiline events that starts with EventCode and I think that EventCode=... if always after in windows logs not in the beginning!
In other words, try this regex
REGEX = (?ms)EventCode\=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
Only one last question, why don't you filter events in inputs.conf whitelists?
Ciao.
Giuseppe
Thanks a lot @gcusello . This has addressed the issue half way. I'm seeing the events coming through the HF now. However, the Regex condition (after modifying as you've suggested) didn't seem to work yet as I'm seeing EventID's other than what I've mentioned in the Regex.
With regards to whitelisting in inputs.conf, I wasn't sure of an effective way of doing this, would you mind sharing a template if you got it handy?
Hi @sansme,
I don't know why you have other EventCodes, maybe they don't pass through the HF.
Anyway, the inputs.conf stanza is something like this:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
whitelist1 = 4624
whitelist2 = 4625
whitelist3 = 4688
whitelist4 = 4768
whitelist5 = 4769
whitelist6 = 4771
whitelist7 = 4773
whitelist8 = 4776
whitelist9 = 4740
that I took from the Splunk TA Windows.
Ciao.
Giuseppe
@gcusello You got it 👍. I have few servers that are directly sending logs to Indexers rather than going through HF. Updating them to route through HF, fixed the issue. Thanks a ton for the help and will keep the inputs.conf whitelisting template as a back up 😊
Try dropping "(?msi)^" from the REGEX in transforms.conf.
unfortunately this didn't work