This is not a question, since when I tried to get a simple answer for what I believe is a simple problem, I could not find one that worked.
So for those of you who use a Windows Heavy Forwarder which collects Remote Event Logs from other Windows systems - you will likely want to filter a bunch of stuff so that it does not get forwarded to the indexer system.
There are a lot of things out there about version 6 and blacklisting and also about where and what to update on config files to filter this stuff. For me, neither support nor the other items mentioned on this site and the blog site seemed to work, at all. So if you have the above scenario, this is what worked for me. This may not be the politically correct way to do it, but all I know is after trying everything else, this is the only thing that worked for me ...
On your Windows based Heavy Forwarder that is collecting the event logs from remote systems:
Create and/or edit the file: \program files\splunk\etc\system\local\props.conf and add:
[WMI:WinEventLog:Security]
REPORT-rename-windows = windows-rename-user, windows-rename-user2, windows-rename-user3, windows-eventid, windows-group
REPORT-extract-windows = windows-src_ip, windows-src_port, windows-process, windows-src_nt_domain-1, windows-src_nt_domain-2, windows-src_nt_domain-3, windows-dest_nt_domain-1, windows-dest_nt_domain-2
TRANSFORMS-sec = setnull
[WMI:WinEventLog:System]
REPORT-rename-windows = windows-rename-user, windows-rename-user2, windows-rename-user3, windows-eventid, windows-group
REPORT-extract-windows = windows-src_ip, windows-src_port, windows-process, windows-src_nt_domain-1, windows-src_nt_domain-2, windows-src_nt_domain-3, windows-dest_nt_domain-1, windows-dest_nt_domain-2
TRANSFORMS-sys = setnull
[WMI:WinEventLog:Application]
REPORT-rename-windows = windows-rename-user, windows-rename-user2, windows-rename-user3, windows-eventid, windows-group
REPORT-extract-windows = windows-src_ip, windows-src_port, windows-process, windows-src_nt_domain-1, windows-src_nt_domain-2, windows-src_nt_domain-3, windows-dest_nt_domain-1, windows-dest_nt_domain-2
TRANSFORMS-app = setnull
The setnull line is the key (fairly standard splunk approach) and is referenced is the next file that you need:
\program files\splunk\etc\system\local\transforms.conf
[setnull]
REGEX=(?msi)(^EventType=3|^EventCode=(26|64|65|100|101|333|528|538|540|551|552|562|567|576|577|578|680|735|736|4114|2080|2334|1704|7035|7036|14500|10009))
DEST_KEY = queue
FORMAT = nullQueue
The EventCode above are what I filter and I have taken to be more aggressive and decide to filter (for now) anything that is of EventType=3 since that is a "success" and/or benign types of error messages, at least based on my thorough review of all the messages of this type that I have seen. I am not interested in things that work, I am interested in things that don't.
I wished that the blacklist feature in Splunk 6 would have worked. There was also some pointers to using wmi.conf which did not work and also some discussion about where to put the transforms.conf and props.conf files (apps\windows\local vs. etc\system\local) and the windows folder definitely did not work for me. Also, putting any of this on the indexer definitely did not work AT ALL.
Hope this is helpful to someone. Maybe one day splunk will do the common sense thing and write a simple explanation for this common need in this somewhat common scenario.
... View more