Hello, all
I have been researching and working on this for several hours across the past two days...but my only success so far is in not having broken anything for trying.
I currently have a heavy forwarder (Linux), dedicated indexer (Windows), search head(Windows) and separate deployment server(Windows). Because we just have a small starter environment right now, we wanted to only allow Windows Security Event log entries that had the Keywords=Audit Failure to be indexed initially. That is working fine. I now want to add events where the EventCode=4740 (Account Lockout) to the indexed data.
I see Splunk_TA_Windows resides on my Search Head, on the Indexer and on the Heavy Forwarder (the only one of the three that is getting its copy from the Deployment Server). I have examined Props and Transforms settings and see where there is a REGEX in Transforms for the Splunk_TA_Windows app that is set to Keywords=Audit Failure. I have made several changes to the REGEX line on both the Search Head and the Indexer, including replacing it with REGEX = EventCode=4740. I have restarted Splunk each time. Nothing seems to have any effect on the data coming through.
Several questions related to this topic (any answer to any of them will help):
How does Splunk_TA_Windows interact on the three machines?
Should I be using the deployment server to send Splunk_TA_Windows to all three servers?
Do I need to modify all three sets of .conf files identically or just the Heavy Forwarder (the only one I haven't modified)?
What is the best practice for allowing both Keywords=Audit Failure AND EventCode=4740 data to be indexed.
Thanks...
... View more