Can I apply an inputs.conf WinEventLog stanza by r...

wyodoc1 · ‎10-01-2015

Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our DMZ Universal Forwarders to DC in the DMZ (IP=205.x.x.x) and point anything else to our internal DC? I know you can whitelist files and host using REGEX, but what about IP? or with REGEX of IP? I would rather not have to adjust or keep a list of what servers are in DMZ and update list as they are added and removed.

[WinEventLog://Security]
whitelist=205.*
evt_dc_name = app-ldap-servers.domainname.com

[WinEventLog://Security]
blacklist=205.*
evt_dc_name = internal-app-ldap-servers.domainname.com

woodcock · ‎10-06-2015

No, you cannot; whenever you duplicate any WinEventLog stanza, the last one has precedence and all earlier stanzas are completely ignored. You have 2 options: you can stand up 2 instances of Splunk on the forwarder and configure each one with one of the stanzas (this is really not a big deal and works great) or you can carve out one set of events and send them to a logfile using Windows tools and Splunk that logfile. This answer discusses the latter solution:

http://answers.splunk.com/answers/314099/for-wineventlogsecurity-how-to-use-renderxmltrue-f-1.html

Can I apply an inputs.conf WinEventLog stanza by regex or IP range with a whitelist?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases