Hi,
I've been using for 1 year or so a configuration for my splunk forwarders as it is in this link:
http://www.megafileupload.com/en/file/315637/local-rar.html
I store everything in /etc/system/local/*
The files above are merged with files those that splunk creates when it installs itself.
lately (i think starting with some 4.1.x version of splunk, on windows 2008 R2 domain controllers i no longer get the results I want:
I want splunk to filter out all success audit events from the security logs and only send over failed audits. This however is not working, i get the entire output of the security logs which in turn is making us go over our quota for indexed data.
Could anyone take a look at the configuration files and tell me what should be changed in order to get splunk to filter out failed audits?
The config files are also supposed to filter out some audit success events, that is also not working, but that is secondary concern, first I'd like him to just make this simple failed audit/sucess audit filter that has been working fine for over 1 year.
thanks,
ionut
... View more