Getting Data In

Windows monitor security only 4624 ID

Explorer

Hello,
I've got a little problem. I would like to monitor security events from remote machine, but ONLY 4624 events (RDP Login). I mean that splunk server have to collect and index only ID 4624 events. Is it possible?

Thank you very much

Tags (4)
0 Karma
1 Solution

Explorer

Now it's ok!!!!!

props.conf

[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing

transforms.conf

[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

Explorer

Now it's ok!!!!!

props.conf

[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing

transforms.conf

[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

Influencer

GREAT! Happy to help

0 Karma

Champion

Good answer!

0 Karma

Influencer

lantuin,

The following Splunk documentation should be able to assist you with this setup... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#FilterWMIevents.

The following splunk base question may also be of use, as it has a working solution... http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs.

I believe this should answer you question.

If this does answer you question, please mark this question as answered to help the community.

Regards,

Matt

Influencer

... for example...

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-security= events-null, events-filter

transforms.conf:

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

Influencer

When you said... "I try to change Format to IndexQueue" ...

Is this how you used the index queue (i.e. IndexQueue, as stated above). I believe this should be indexQueue?

Apologies if you have done this, it is most probably case sensitive.

0 Karma

Explorer

Yes Ayn, they're coming after I made these changes and "WMI:WinEventLog:Security" is the right sourcetype.

0 Karma

Legend

OK. And you can see for sure that this is not being applied to events coming in after you've made these changes? The events that are already in the index won't go away, but new ones should be filtered.

Is "WMI:WinEventLog:Security" the sourcetype you're looking to apply this filter to?

0 Karma

Explorer

Yes, of course!

0 Karma

Legend

Did you restart Splunk after making these changes?

0 Karma

Explorer

I try to change Format to IndexQueue

0 Karma

Explorer

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf:

[wminull]
REGEX=(?m)^EventCode=(4624)
DEST_KEY=queue
FORMAT=nullQueue

0 Karma

Influencer

Can you include an example of you props.conf and transforms.conf.

I think possibly you are sending the events to a nullqueue (as shown in the Windows example of the link above, but not another queue, as shown i other examples.

0 Karma

Explorer

Yes, I'm doing this but without result. Changes have not effect, I receive other eventcode than 4624

0 Karma

Influencer

Have you restarted your Splunk services after making the changes to the props/transforms.conf files?

0 Karma

Influencer

You should edit a file called transforms.conf via a shell/command line session. The file should be located in one of the following locations (you may need to create this if it does not exist.

$SPLUNKHOME/etc/apps/<appname>/local/transforms.conf (preferable)
$SPLUNKHOME/etc/apps/<appname>/default/transforms.conf
$SPLUNK_HOME/etc/system/local/transforms.conf

0 Karma

Explorer

I'm sorry, I'm not so expert 😞 I mean:

splunk > Manager > Fields > Transforms

0 Karma

Legend

What do you mean "by GUI"?

0 Karma

Explorer

I've got some problems 😞 If I try to insert this directive by GUI, splunk says to me:

In handler 'transforms-extract': Invalid FORMAT: indexQueue (for events-filter)

In handler 'transforms-extract': Invalid FORMAT: nullQueue (for events-null and events-null3)

0 Karma

Explorer

Yes, of course!

0 Karma