Getting Data In

Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

b_chris21
Communicator

Hello everyone,

I am collecting Windows Event Logs and Sysmon Logs from my Windows Domain to my WEF. From WEF using a UF I am forwarding everything to my Splunk Indexer.

My question is:

How can I split my data collected to [WinEventLog://ForwardedEvents] to two different indexes (wineventlog, sysmon)? I don't want Sysmon to get into wineventlog index.

Shall I use props.conf and transform.conf modification to achieve that? If yes, can you please guide me on how this shall be formatted?

The next step would be to properly configure inputs.conf on Splunk_TA_Windows and TA-microsoft-sysmon so that I don't have to index unneeded stuff that will cause performance issues.

For example on TA-microsoft-sysmon's  inputs.conf I will have to put:

[WinEventLog://ForwardedEvents]
disabled = 0
index = sysmon
start_from = oldest
currently_only = 0
checkpointInterval = 5
renderXml = true

but this will also index wineventlogs which are not needed in this index. Is that correct?

Thanks

Chris

Tags (2)
0 Karma

b_chris21
Communicator

Hi @venkatasri,

thanks for your reply. I am aware of what you have described. The only difference is that on my WEF I have created a single subscription that drops all windows event logs and sysmon into Forwarded Events. (I know I could create collections per log instead).

So since all logs know drop into the same bucket (ForwardedEvents), I just want to split them into 2 different indexes as follows:

- windows event logs ---> index=wineventlog
- sysmon                         ----> index=sysmon

I have tried to add the following stanza on inputs.conf

[WinEventLog://ForwardedEvents]
disabled = 0
index = sysmon
start_from = oldest
currently_only = 0
checkpointInterval = 5
renderXml = true

 but it didn't work. Instead, all sysmon logs kept being ingested in wineventlog index along all the other logs.

Hope it's more clear know.

Kind regards,

Chris

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @b_chris21 

I wonder inputs conf has been pointed to sysmon index and how these logs going to wineventlog. 

Can you btool and find out is there other conf taking precedence on UF. If you have specific individual pattern for sysmon and winevent logs coming from ForwardedEvent collection then the approach I could think of is use props/transforms on  HF/indexer layer to redirect them to respective index based on REGEX.

0 Karma

b_chris21
Communicator

Hi @venkatasri,

specifically both Windows Events and Sysmon are set to go to ForwardedEvents collection and not into separate ones.

Therefore both are indexed by default into wineventlog index via inputs.conf. I believe there is no way to split data from a single source to two different indexes, right?

How can this be done with a REGEX and editing the props.conf and transforms.conf? Can this be done on an indexer as I do not have an HF.

Thanks

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @b_chris21 

sysmon having different conf settings using sysmon add-on, ForwardedEvents is part of Windows Add-on. you can find sysmon settings here - Solved: Re: Connectivity issues - Splunk Community

So if your ForwardedEvents Eventlogs alone you can direct them to index - wineventlog and  sysmon add-on above said input to sysmon index.

--

An upvote would be appreciated if this reply helps!

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...