Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use a custom source type for specific Windows firewall events

coenvandijk
Observer
‎12-10-2021 01:48 AM

We use Splunk for storing and analyzing Windows security events. We now want to start storing firewall events related tot management ports.

 

I plan to use the following for retrieving the relevant data from the Windows security log

whitelist9 = EventCode="(?:515[67])" Message="(?i)Direction\:\t+Inbound" Message="Destination\sPort\:\t+(135|139|445|3389|5985|5986)"

 

I would like to store these events using a diiferent source type than the other events from [WinEventLog://Security]

 

How can I achieve this?

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-15-2021 12:36 PM

Whg do you specifically want to do this as other sourcetype?

0 Karma
Reply

ldongradi_splun
Splunk Employee
Splunk Employee
‎12-15-2021 12:13 PM

You want to index all the events from that WinEventLog, so you can't do that from the UF inputs.conf.

You need the parser (HF or Indexer) to apply a different treatment for those specific events :

props.conf
[source::TheWindowsSecurityLog]
TRANSFORMS = firewall_only

transforms.conf
[firewall_only]
REGEX = EventCode=515[67]
DEST_KEY = MetaData:SourceType
FORMAT = sourcetype::wineventlog_firewall

The REGEX probably needs some modification, but the spirit is to give a specific redirection for only those events that match the expression.

All the other events will follow the natural process.

No need for a blacklist/whitelist from the UF inputs.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...