- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how can we split forwarded windows event logs by h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how can we split forwarded windows event logs by host?
We are using windows event log forwarding to extract the security logs from 100 plus servers to a central location where a splunk forwarder pushes the logs to a Splunk indexer
The problem we have is that the host and source for all events is the server where it Splunk forwarder is installed.
Is there a way of tagging each event with the ORIGINAL server which is included in the event before it gets to the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this is an old post - but I'll answer it anyway in case someone else is using Windows Event Forwarding and comes across this. Assuming you are monitoring the Forwarded Events log in Windows with using a Splunk forwarder, add the following props and transforms entries on an indexer or heavy forwarder:
In props.conf:
[source::WinEventLog:ForwardedEvents]
TRANSFORM=host = win-host-computername
In transforms.conf:
[win-host-computername]
DEST_KEY = MetaData:Host
REGEX = ComputerName=([^\s\.]+)
FORMAT = host::$1
The transforms entry will strip fully qualified domain names if they are present. if you want to extract a complete fqdn instead of the hostname only, use (\S+) instead of ([^\s\.]+)
This all assumes that you're monitoring the Forwarded Events log with an inputs.conf definition that looks something like this:
# Note that there must be no space between 'Forwarded' and 'Events.
[WinEventLog://ForwardedEvents]
index=winevtlog
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I've been trying to get this working, and it seems like something is still missing. I'm getting forwarded events into Splunk, but the source host is still the computer name of my event collector, not the computers that originally forwarded the events. Any additional suggestions would be appreciated. (It looks to me like there might be a typo in your suggested props.conf file entry, I think I fixed that on my agent, but still no luck.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As jonuwz said, sample events would help us help you. Also, how are the events stored on the server that has the forwarder - as individual files, as one big file, organized in directories, etc?
You can set the host for the inputs on the forwarder. You can set the host name based on the name of the input flle, the directory, or even part of the file name. However, on a universal forwarder you can only set the host name on a per-input basis. If your environment mixes events from different hosts into a single file, the universal forwarder can't handle that. This is the approach I would try first.
But if the forwarder is a "heavy forwarder", you can parse the individual events before sending them to the indexer. You would need to set up the parsing (using transforms.conf) to identify the host for each event. That would give you a chance to set the host before forwarding the events. This is not as efficient, so it is not my first choice.
In fact, you can do the same parsing on the indexer itself; a "heavy forwarder" is not usually needed. Again, it is not as efficient as the specify-by-input approach of the Universal Forwarder.
Of course, I think it would be better to put the Universal Forwarder on all of the 100+ servers... but that might not be a reasonable solution, especially in the short term.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can show a few sample events (sanitized of course), we can help you set it up. And you could probably even do it on the indexers instead of the heavy forwarder...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are standard windows event logs. One of the limitations with this method is that all the servers feed there logs into signal event view called "forwarded events".
They do have the name of the originating computer within the event, so I guess the heavy forwarder will be the way to go...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably not, but if the event contains the hostname anywhere, you can have the indexer extract the hostname and set the host field before its indexed. Have you got a sample event ?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
