Wineventlog and Sysmon on split indexes using the ...

b_chris21 · ‎07-26-2021

Hello everyone,

I am collecting Windows Event Logs and Sysmon Logs from my Windows Domain to my WEF. From WEF using a UF I am forwarding everything to my Splunk Indexer.

My question is:

How can I split my data collected to [WinEventLog://ForwardedEvents] to two different indexes (wineventlog, sysmon)? I don't want Sysmon to get into wineventlog index.

Shall I use props.conf and transform.conf modification to achieve that? If yes, can you please guide me on how this shall be formatted?

The next step would be to properly configure inputs.conf on Splunk_TA_Windows and TA-microsoft-sysmon so that I don't have to index unneeded stuff that will cause performance issues.

For example on TA-microsoft-sysmon's inputs.conf I will have to put:

[WinEventLog://ForwardedEvents]
disabled = 0
index = sysmon
start_from = oldest
currently_only = 0
checkpointInterval = 5
renderXml = true

but this will also index wineventlogs which are not needed in this index. Is that correct?

Thanks

Chris

b_chris21 · ‎07-27-2021

Hi @venkatasri,

thanks for your reply. I am aware of what you have described. The only difference is that on my WEF I have created a single subscription that drops all windows event logs and sysmon into Forwarded Events. (I know I could create collections per log instead).

So since all logs know drop into the same bucket (ForwardedEvents), I just want to split them into 2 different indexes as follows:

- windows event logs ---> index=wineventlog
- sysmon ----> index=sysmon

I have tried to add the following stanza on inputs.conf

[WinEventLog://ForwardedEvents]
disabled = 0
index = sysmon
start_from = oldest
currently_only = 0
checkpointInterval = 5
renderXml = true

but it didn't work. Instead, all sysmon logs kept being ingested in wineventlog index along all the other logs.

Hope it's more clear know.

Kind regards,

Chris

venkatasri · ‎07-27-2021

Hi @b_chris21

I wonder inputs conf has been pointed to sysmon index and how these logs going to wineventlog.

Can you btool and find out is there other conf taking precedence on UF. If you have specific individual pattern for sysmon and winevent logs coming from ForwardedEvent collection then the approach I could think of is use props/transforms on HF/indexer layer to redirect them to respective index based on REGEX.

b_chris21 · ‎08-02-2021

Hi @venkatasri,

specifically both Windows Events and Sysmon are set to go to ForwardedEvents collection and not into separate ones.

Therefore both are indexed by default into wineventlog index via inputs.conf. I believe there is no way to split data from a single source to two different indexes, right?

How can this be done with a REGEX and editing the props.conf and transforms.conf? Can this be done on an indexer as I do not have an HF.

Thanks

venkatasri · ‎07-26-2021

Hi @b_chris21

sysmon having different conf settings using sysmon add-on, ForwardedEvents is part of Windows Add-on. you can find sysmon settings here - Solved: Re: Connectivity issues - Splunk Community

So if your ForwardedEvents Eventlogs alone you can direct them to index - wineventlog and sysmon add-on above said input to sysmon index.

--

An upvote would be appreciated if this reply helps!

Wineventlog and Sysmon on split indexes using the same source (WinEventLog://ForwardedEvents)

inputs.conf

props.conf

transforms.conf

universal forwarder

Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms