Hi,
I installed Splunk Enterprise to a single instance and am installing the Splunk Universal Forwarder.
The goal is to index only Windows security event logs of Windows login success, failed, and logout.
I have configured the PROPS file on the server as follows:
[default]
[csv]
CHECK_FOR_HEADER = false
[WinEventLog:Security]
# MODIFICARE: Filtro sugli gli eventi WinEventLog Security locali (server Splunk)
TRANSFORMS-wineventlog_security = SetNull, GetLocalWinAdmin
and TRANSFORMS:
[SetNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s
source="WinEventLog:*"
on FORWARDER servers I configured the file inputs and outputs as follows:
INPUTS:
[WinEventLog://Security]
checkpointInterval = 5
disabled = 0
current_only = 1
evt_resolve_ad_obj = 1
# start_from = newest
whitelist = 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4771
OUTPUTS:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = SPLUNK.domain.local:9997
At present I have received some data source with 2:
WinEventLog: Application
WinEventLog: System
but not of WinEventLog: Security !!!! That is what I'm interested in.
I do not understand why it's not working. Can anyone help?
Thank you.
... View more