Refine your search:

WinEvent Filtering on Heavy Forwarder

2

Hi, Trying to send all eventIDs from WinEventLog:Security to NullQueue with the exception of 592 and 593. Still getting all security events indexed :< props.conf and transforms.conf, located in Splunk\etc\system\local on the forwarder are as follows:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?m)^EventCode=(592|593)
DEST_KEY = queue
FORMAT = indexQueue

Thanks, Andie

asked 19 Jul '10, 20:36

stockwel's gravatar image

stockwel
212
accept rate: 0%

edited 20 Jul '10, 11:57

3 Answers:
oldestnewestmost voted
1

Take a look at this answer regarding whitelisting specific event codes to be forwarded.

http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-events-i-want

link

answered 16 Nov '10, 23:14

maverick's gravatar image

maverick ♦
2.5k3455
accept rate: 14%

0

Hi, a couple things.

1) If you use a LightWeightForwarder, you might have to put those configurations on the indexer too.

2) Windows Security event logs have white spaces before "EventCode", so binding your regex to the start of the line should not work. 

REGEX = (?m)EventCode=(592|593)

You could also do the same job with a simpler configuration, though:

props.conf

[WinEventLog:Security]
TRANSFORMS-set=dropevents

transforms.conf

[dropevents]
REGEX = (?m)EventCode=(?!592|593)
DEST_KEY = queue
FORMAT = nullQueue

This regex means "discard everything that has EventCode different from either 592 or 593"

link

answered 20 Jul '10, 14:01

Paolo%20Prigione's gravatar image

Paolo Prigione
1.4k110
accept rate: 34%

ops, sorry for the inconvenience: point 1) can be discarded as the forwarder type was inherent in the question's title

(20 Jul '10, 14:15) Paolo Prigione
0

Try (?msi) instead of just (?m)

link

answered 18 Aug '10, 17:51

BunnyHop's gravatar image

BunnyHop
7153322
accept rate: 25%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,177

Asked: 19 Jul '10, 20:36

Seen: 920 times

Last updated: 01 Dec '10, 01:22

Related questions

Can Splunk index Windows Event Log(evt,evtx) files?

Windows eventlog stops forwarding

Duplicated windows security event log data with WMI

How to search a Multiline event using rex at searchtime?

How do you limit the amount of time that splunk looks into the past for log data?

Source not searchable after re-write?

How do I send Windows Event logs to Splunk Indexer installed in Linux?

While setting up a Windows Eventlog collection input, why do I get an HTTP 500 - Access is denied error?

Discard Windows Events and keep the rest

One Server; Two Apps; Conflicting WinEventLog:Application settings

Copyright © 2005-2012 Splunk, Inc. All rights reserved.