Getting Data In

Can i assign a sourcetype to Windows eventlogs ?

chimbudp
Contributor

I need to filter specific applcation eventlogs from Windows Server.

I am using light weight forwarder

I set the configurations as below . I am unable to get the results as expected.

Please suggest any modifications needed ?

From Universal Forwarder:
inputs.conf

[WinEventLog:Application]
disabled = 0
index = Server1_idx
interval = 300
sourcetype = Server1_EventLogs

From Indexer:
props.conf

[Server1_Eventlogs]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
KV_MODE=none
TRANSFORMS-FIELDS = strip-winevt-linebreaker
TRANSFORMS-set=setnull,setparsing

transforms.conf

[setnull]
REGEX =  .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX =(?m)^EventCode=(5740|8112|1001)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
1 Solution

chimbudp
Contributor

I choose to go with scripted inputs. Here i can mention sourcetypes of my own.
using WMI Query i can filter specific eventlogs of my interest.

Sample:
Select * from Win32_NtLogEvent where LogFile = 'Application' AND EventCode ="xxx" OR EventCode="YYY"

View solution in original post

0 Karma

chimbudp
Contributor

I choose to go with scripted inputs. Here i can mention sourcetypes of my own.
using WMI Query i can filter specific eventlogs of my interest.

Sample:
Select * from Win32_NtLogEvent where LogFile = 'Application' AND EventCode ="xxx" OR EventCode="YYY"

0 Karma

linu1988
Champion

Hello,
No we can't as there are not valid attributes like source/sourcetype available for wineventlog in inputs.conf

We can however use

[Source::WinEventLog:Application] as source

Thanks

0 Karma

chimbudp
Contributor

By default the chosen stanza name for an input is prepended with 'source::' , i think we don't want to explicitly mention

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...