Splunk Search

Can I apply an inputs.conf WinEventLog stanza by regex or IP range with a whitelist?

wyodoc1
Explorer

Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our DMZ Universal Forwarders to DC in the DMZ (IP=205.x.x.x) and point anything else to our internal DC? I know you can whitelist files and host using REGEX, but what about IP? or with REGEX of IP? I would rather not have to adjust or keep a list of what servers are in DMZ and update list as they are added and removed.

[WinEventLog://Security]
whitelist=205.*
evt_dc_name = app-ldap-servers.domainname.com

[WinEventLog://Security]
blacklist=205.*
evt_dc_name = internal-app-ldap-servers.domainname.com
0 Karma

woodcock
Esteemed Legend

No, you cannot; whenever you duplicate any WinEventLog stanza, the last one has precedence and all earlier stanzas are completely ignored. You have 2 options: you can stand up 2 instances of Splunk on the forwarder and configure each one with one of the stanzas (this is really not a big deal and works great) or you can carve out one set of events and send them to a logfile using Windows tools and Splunk that logfile. This answer discusses the latter solution:

http://answers.splunk.com/answers/314099/for-wineventlogsecurity-how-to-use-renderxmltrue-f-1.html

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...