Getting Data In

how to use Heavy Forwarder to selectively forward WinEventLog:Security ?

habshansplunk
New Member

I'm trying to use heavy forwarder to forward just the WinEventLog:Security logs. Can someone please tell me how to do it?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Since in this case the answer to "Use a Universal Forwarder" is contraindicated by needs, let's try routing data.

You have an HF that's receiving data from Windows Event logs, and you want to send SOME of those logs off to another Splunk instance. In that case, you'll want to Route and filter data.

Following those steps:

Step one's answer is that you want to send anything matching your sourcetype of WinEventLog:Security.

Step two, open a shell prompt. It doesn't mention it but change to your splunk user if necessary and change to (default of) /opt/splunk/etc/system/local

Step three, you'll want a stanza in props.conf (Please double-check me for typos and stuff!) that matches your Security logs (as per the answer to step one), and tells Splunk to run a transform named "MoveSecurityLogsToCloud". (You can name it anything you want, just make sure it matches the transforms.conf entry).

[WinEventLog:Security]
TRANSFORMS-routing=MoveSecurityLogsToCloud

For the second step three (which I'm sure they'll renumber soon since I gave feedback already on that!), edit the transforms.conf and add something like the below to it. This matches your name you gave it above, tells it to search on that sourcetype for anything ( * ) and when it matches, use _TCP_ROUTING to an output stanza named "MyCloudProvider".

[MoveSecurityLogsToCloud]
REGEX = *
DEST_KEY=_TCP_ROUTING
FORMAT=MyCloudProvider

Then lastly (step four or five depending on if the numbers are fixed in the docs), edit outputs.conf in there as well. You'll want to add as a name the name you just used above on a tcpout stanza, and then fill in the details of your cloud connection.

[tcpout:MyCloudProvider]
server=MyCloudIP:MyCloudPort

Again, double-check the things, take your time and read all the rest of the directions and notes, but that should get you there.

Give that a try, let us know how that works!

Happy Splunking!
Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

Since in this case the answer to "Use a Universal Forwarder" is contraindicated by needs, let's try routing data.

You have an HF that's receiving data from Windows Event logs, and you want to send SOME of those logs off to another Splunk instance. In that case, you'll want to Route and filter data.

Following those steps:

Step one's answer is that you want to send anything matching your sourcetype of WinEventLog:Security.

Step two, open a shell prompt. It doesn't mention it but change to your splunk user if necessary and change to (default of) /opt/splunk/etc/system/local

Step three, you'll want a stanza in props.conf (Please double-check me for typos and stuff!) that matches your Security logs (as per the answer to step one), and tells Splunk to run a transform named "MoveSecurityLogsToCloud". (You can name it anything you want, just make sure it matches the transforms.conf entry).

[WinEventLog:Security]
TRANSFORMS-routing=MoveSecurityLogsToCloud

For the second step three (which I'm sure they'll renumber soon since I gave feedback already on that!), edit the transforms.conf and add something like the below to it. This matches your name you gave it above, tells it to search on that sourcetype for anything ( * ) and when it matches, use _TCP_ROUTING to an output stanza named "MyCloudProvider".

[MoveSecurityLogsToCloud]
REGEX = *
DEST_KEY=_TCP_ROUTING
FORMAT=MyCloudProvider

Then lastly (step four or five depending on if the numbers are fixed in the docs), edit outputs.conf in there as well. You'll want to add as a name the name you just used above on a tcpout stanza, and then fill in the details of your cloud connection.

[tcpout:MyCloudProvider]
server=MyCloudIP:MyCloudPort

Again, double-check the things, take your time and read all the rest of the directions and notes, but that should get you there.

Give that a try, let us know how that works!

Happy Splunking!
Rich

0 Karma

Richfez
SplunkTrust
SplunkTrust

You only need the universal forwarder and not a heavy forwarder - it's smaller, lighter, faster, and easier and has the more common needs for filtering/blacklisting built in.

But either way - UF or HF - the process is more or less the same. It is all documented in the docs on Monitor Windows event logs data. You can Collect event logs from a remote Windows machine, Use Splunk Web to configure event log collection, or a couple of more options.

Indeed, if you don't need the HF (and in most cases you do not, but I don't know the use case yet so I can't be certain), the UF will give you this option at install time.

So I'd suggest you uninstall the HF, use the UF and give that a whirl using the documentation linked. If that works, great! If you have further problem, write back and ask about what specifically isn't working right.

(And note that if you install the UF instead but later find you need a full Splunk instance, the configuration you did should just copy right over so you won't have to "redo" it. 🙂 )

Happy Splunking!
-Ric

habshansplunk
New Member

Thank you the for the answer Ric. 🙂
I did find the option on the UF to forward just the WinEventLog:Security logs. But My scenario is different. All logs are being forwarded from a windows PC to a Splunk Enterprise installed on a local ubuntu machine using UF, and then forwarded to a Splunk Enterprise installation on the cloud using HF. So only the WinEventLog:Security logs should reach the Splunk Enterprise on the cloud. I did try editing the props.conf and transforms.conf, but due to my lack of knowledge in coding, I'm not able to figure out what lines to add specifically to make this happen. Please help.
Scenario Screenshot: http://prntscr.com/ex2mmf

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...