Splunk Enterprise

Universal Forwarder

AaronGRMEP
Explorer

I want to forward specific events from the Security log on a Windows server to my full Splunk install. I've looked through a lot of the posted documentation but can't figure out how to get the Universal forwarder to start forwarding. I then want to provide a list of Event ID numbers to whitelist to be sent to my server running Splunk.

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata

For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.

You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

bmacias84
Champion

For event level routing/filtering and forwarding require the a Heavy forwarder if want to compish this from FW.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata

For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.

You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

bmacias84
Champion

Within you props.conf try the following.


[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

This should send events with EventCodes 4634 and 4624 to the indexer while sending all others to null queue. With only one transform stanza defined setnull define in you props you are send all events to the nullQueue.

0 Karma

AaronGRMEP
Explorer

anybody have an idea of what I need to fix?

0 Karma

AaronGRMEP
Explorer

Thanks for the response. I was able to get Security events to forward but wasn't able to get filtering to work. I think I'm pretty close but maybe have a typo or something missing.

Here's what I have configured.

inputs.conf
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

props.conf
[WinEventLog:Security]
TRANSFORMS-set= setnull

transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?m)^EventCode=(4634|4624)
DEST_KEY = queue
FORMAT = indexQueue

Thanks.

0 Karma