|
I'm using a set of universal forwarders to send data to a central indexer. I would like to send events from "WinEventLog:Security" only if, for example, the Event Code is 552 (EventCode=552). I have read some posts about the same subject, and try some of the suggested solutions. However I haven't been able to make scenarios similar to this one to work, since I still receive all types of events. My conf files: inputs.conf----------------[WinEventLog:Security] disabled = 0 index = my_index start_from = oldest props.conf--------------[WinEventLog:Security] TRANSFORMS-sec = allowtheseevents outputs.conf----------------[tcpout] defaultGroup=nullGroup indexAndForward = 0 [tcpout:nullGroup] server=0.0.0.0:0000 [tcpout:allowedEventsGroup] server=(my_server):9997 transforms.conf---------------------[allowtheseevents] REGEX = (?m)^EventCode=552 DEST_KEY = _TCP_ROUTING FORMAT = allowedEventsGroup On "transforms.conf" I have also tried something like: "[wW]+EventCodes=s552[wW]+" Can someone help me on this? Thank you. |
|
First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder: http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder I didn't remember of the following information/table: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Typesofforwarders#Forwarder_comparison In fact, it states that the universal forwarder neither does Event parsing or Per-event filtering. I will try to do the filtering on the indexer but previous to the indexing process.
(04 Jan '12, 09:31)
fernandoandre
Or as tgow said, you can install a regular/heavy Forwarder on the server sending the alerts.
(04 Jan '12, 10:38)
gekoner
unfortunately that's not an option...smallest footprint possible. Thank you for the help.
(05 Jan '12, 03:10)
fernandoandre
|
|
Hi. I am also looking for a way to only index a few windoes event ID:s, and since I found out that this cannot be done at the universal forwarder I'm looking for a way do this on the indexer. Fernandoandre, did you manage to do this on your indexer? If so, could you post an example of how you did this? Thanks.... Hi. At the moment we have many filters but I'll leave you with a simple solution. ==props== [WinEventLog:Security] TRANSFORMS-set= setnull ==transforms== [setnull] REGEX = (?msi)^EventCode=(?!(552|538|576|528|529)b) DEST_KEY = queue FORMAT = nullQueue The "setnull" entry redirects you to the stanza with that name on transforms.conf. There you apply the regex to filter what you need. Hope that helps. Also read this (splunk lifecycle) http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F And transforms.conf and props.conf documentation.
(18 Jul '12, 03:36)
fernandoandre
tobbedahl, were you able to solve your problem? if yes, please also post your solution.
(19 Jul '12, 01:55)
fernandoandre
|
|
First of all you will not be able to filter on the Universal Forwarder. If you want to filter events on the Windows server then you will need to install a regular/heavy Forwarder. If you want to continue using a UF instead then you will need to modify the config files on the Indexer. Here is a link to information on how to install a Regular/Heavy Forwarder: http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deployaforwarder |
|
fernandoandre, If I can make a friendly suggestion. Splunk is architect-ed to capture/index ALL data and have you use search queries and other methods to get/view the data you want. To do this remove your REGEX and FORMAT on your Universal Forwarder client (or remove transform.conf altogether). Restart your UFC. Then search for the data you are looking for on your search query Web interface. Ex. = index=* source=WinEventLog:Security AND EventCode=552 If you are looking to be alerted when this occurs you can set up a saved search and a alert to let you know. Now if you are looking to filter data based on your available bandwidth or license constraints, that's a different story, you can do that. It is just a lot more work. I know it goes against Splunk logic but on this particular case this is really what I need since I only want some events (for example successful/failed logons). The reason for this are simple: 1) I have a very big infrastructure; 2)I want to reduce the traffic on the network. 3) I don't want to index data that I don't need and I don't want to analyze. My goal is to filter the events at u.forwarder. And believe me, I will receive tons of events on this way.
(03 Jan '12, 11:29)
fernandoandre
|
