Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Universal Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to forward specific events from the Security log on a Windows server to my full Splunk install. I've looked through a lot of the posted documentation but can't figure out how to get the Universal forwarder to start forwarding. I then want to provide a list of Event ID numbers to whitelist to be sent to my server running Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata
For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.
You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For event level routing/filtering and forwarding require the a Heavy forwarder if want to compish this from FW.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata
For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.
You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within you props.conf try the following.
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
This should send events with EventCodes 4634 and 4624 to the indexer while sending all others to null queue. With only one transform stanza defined setnull define in you props you are send all events to the nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anybody have an idea of what I need to fix?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I was able to get Security events to forward but wasn't able to get filtering to work. I think I'm pretty close but maybe have a typo or something missing.
Here's what I have configured.
inputs.conf
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
props.conf
[WinEventLog:Security]
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?m)^EventCode=(4634|4624)
DEST_KEY = queue
FORMAT = indexQueue
Thanks.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
