I need to drop "Filtering Platform Connections", I also want to drop most of "Audit File System" events from windows servers. I do not have control over source servers, those only have universal-forwarder. I can only manipulate the indexer-all-in-one Splunk server.
I followed http://docs.splunk.com/Documentation/Splunk/5.0.6/Deploy/Routeandfilterdatad and some posts on answers and was testing the following:
in ../etc/system/local/
props.conf
[WinEventLog:Security]
TRANSFORMS-wmi = NullEvents-null, WinSecEvents-null
transforms.conf
[NullEvents-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[WinSecEvents-null]
REGEX=(?msi)^EventCode=(5156|104)\D
DEST_KEY = queue
FORMAT = indexQueue
Unfortunately the filtered events still show up.
What I did so far:
tested the regex on search in splunk - works,
tried adding the files to /etc/apps/windows/ /etc/apps/Splunk_TA_Windows /splunk/app/Splunk_for_Exchange as those were the files that ./splunk cmd btool and grep came up with,
tried several source names [WMI:WinEventLog:Security] [source::WinEventLog:Security] [source::WMI:WinEventLog:Security] [source::main] [WMI:WinEventLog:Security]
rebooting after each test (ofc),
created a case with splunk and gave them the dump file, but this is not solved yet.
I'm wondering if I'm putting the files in proper place (folder), if I'm using the correct [source] ?
++ I'm on 5.0.6. ++ I'm fresh to Splunk configurations ++ I'm abusing my license as I cant filter the events, so the issue is urgent ++
... View more