I have this necessity to gather exclusively the Windows Administrators login/logfail/logout from Windows Universal FW.
I know how to do for the type of events (by putting EventCode IDs in the .conf files that I deploy to the universal forwarders)
What I still do not do, is collecting ONLY the admin events. What I mean is provisioning this directly from the FW level and not indexing these kinds of events for all users and only then filtering through (maybe match a predefined CSV file) and building dashboards.
I have read somewhere about some regex stanza (in props.conf and transforms.conf) which provide patterns to allow event gathering...
I hope someone has had the same issue before.
Thanks a lot in advance,
you cannot filter events on Forwarders, but only on Indexers or Heavy Forwarders.
To filter events, so you have to create in your indexer/s props.conf and transforms.conf like these:
[WinEventLog:Security] TRANSFORMS-set= setnull,setparsing
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = your regex DEST_KEY = queue FORMAT = indexQueue
The problem is that you have to restart Splunk every time you modify your regex to insert a new administrator's username.
In addition you could need to have all users login and filter them at application level.
So I usually filter my events to take only the ones related to login, logout and logfail and I inserted the Administrators usernames in a lookup filtering my searches for this lookup.
In this way I can add an administrator with no Splunk restart and I can monitor all the users logins; obviously I must index more logs, but with the filter on Windows EventCodes there isn't a very larger consuption of Splunk License.
the regex I used to filter windows login events is the following, useful for all Windows Systems (old and new, Win and SQL):
Thanks for your response in so fast time!
I fully understand the explanation and you just reminded me about the chances I've got.
But, what if, for legal compliance, you MUST NOT index in your indexer any log from other users who are not Administrators?
I already have done the way you and hsesterhenn suggested. If with an UF you cannot do this without first, it is OK for me. I just need to be sure.
Thanks a lot,
you can't filter by event on a Windows Universal Forwarder because a UF does not parse (Indexer or Heavy Forwarder do).
BUT, you might blacklist/whitelist by event ID and some regexes...