- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows Events Filtering on Heavy Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to filter certain Windows event IDs which need to be sent to Indexer and the rest to be dropped.
My Props.conf looks as below:
[WinEventLog:Security]
TRANSFORMS-security = adlog, dropadlog
And my transforms.conf looks as below:
[dropadlog]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[adlog]
REGEX = (?msi)^EventCode=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
DEST_KEY = queue
FORMAT = indexQueue
On querying through search head, I don't see any events coming through the HF.
Rather I see events from other hosts that are configured to directly send events to Indexers
Could someone help me understand what's going wrong with HF configuration?
My inputs.conf is below:
[default]
host = Hostname of HF
[splunktcp://9997]
disabled = false
And Outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://Indexer1:9997]
[tcpout-server://Indexer2:9997]
[tcpout:default-autolb-group]
disabled = false
server = Indexer1:9997,Indexer2:9997,Indexer3:9997
[tcpout-server://Indexer3:9997]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sansme,
at first sight, I see two errors:
in props.con, the sort of commands is important, you have to put at first the one with "REGEX = .", in other words:
TRANSFORMS-security = dropadlog, adlogThen I'm not sure that the regex in adlog is correct:
at first "=" is a special char so you have to escape it (|=);
then you used "^" that means that you want to index multiline events that starts with EventCode and I think that EventCode=... if always after in windows logs not in the beginning!
In other words, try this regex
REGEX = (?ms)EventCode\=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
Only one last question, why don't you filter events in inputs.conf whitelists?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sansme,
at first sight, I see two errors:
in props.con, the sort of commands is important, you have to put at first the one with "REGEX = .", in other words:
TRANSFORMS-security = dropadlog, adlogThen I'm not sure that the regex in adlog is correct:
at first "=" is a special char so you have to escape it (|=);
then you used "^" that means that you want to index multiline events that starts with EventCode and I think that EventCode=... if always after in windows logs not in the beginning!
In other words, try this regex
REGEX = (?ms)EventCode\=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
Only one last question, why don't you filter events in inputs.conf whitelists?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @gcusello . This has addressed the issue half way. I'm seeing the events coming through the HF now. However, the Regex condition (after modifying as you've suggested) didn't seem to work yet as I'm seeing EventID's other than what I've mentioned in the Regex.
With regards to whitelisting in inputs.conf, I wasn't sure of an effective way of doing this, would you mind sharing a template if you got it handy?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sansme,
I don't know why you have other EventCodes, maybe they don't pass through the HF.
Anyway, the inputs.conf stanza is something like this:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
whitelist1 = 4624
whitelist2 = 4625
whitelist3 = 4688
whitelist4 = 4768
whitelist5 = 4769
whitelist6 = 4771
whitelist7 = 4773
whitelist8 = 4776
whitelist9 = 4740that I took from the Splunk TA Windows.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello You got it 👍. I have few servers that are directly sending logs to Indexers rather than going through HF. Updating them to route through HF, fixed the issue. Thanks a ton for the help and will keep the inputs.conf whitelisting template as a back up 😊
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try dropping "(?msi)^" from the REGEX in transforms.conf.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unfortunately this didn't work
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
