Refine your search:

Filtering windows events not working after switching to WMI pull

0

Hi,

My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.

My existing configuration is:
props.conf 

[wmi]  
TRANSFORMS-null = setnullevents, setparsing

transforms.conf 

[setnullevents]  
REGEX = (?m)^EventCode=(538|540|672|673|861)\b  
DEST_KEY = queue  
FORMAT = nullQueue 

[setparsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

Any idea what I've missed?

asked 15 Oct '10, 01:58

remy06's gravatar image

remy06
2976444
accept rate: 40%

edited 18 Oct '10, 03:39

2 Answers:
oldestnewestmost voted
0

don't know why but after I meddle around with the naming..it seems to work after that..

props.conf [wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

[wmi-null]
REGEX = (?msi)^EventCode=(538|540|672|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue

[wmi-parsing]
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

link

answered 20 Oct '10, 03:59

remy06's gravatar image

remy06
2976444
accept rate: 40%

0

Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?

If it's from local ones, you should use a stanza of

[WinEventLog:Security]

Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec

[source::WMI:WinEventLog:Security]

Also, I'd change the transform names to allwminull and successwminull or similar. As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.

link

answered 18 Oct '10, 11:07

dart's gravatar image

dart
1.9k210
accept rate: 28%

There are 3 machines, hostA,hostB(both windows) & splunk indexer(linux).

I have splunk installed on hostB and have configured with the above scripts to pull event logs from hostA, and then forward them to Splunk indexer.

(19 Oct '10, 03:20) remy06
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×142
×134

Asked: 15 Oct '10, 01:58

Seen: 1,252 times

Last updated: 20 Oct '10, 03:59

Related questions

WMI Event Filtering not working

Event filtering not working

Event Filtering not working

WMI EventLog Filtering

Remote Event Log (Windows) Filtering by EventCode not working

Filter Duplicate Windows Events

Event filtering issue

Filtering events not working

Copyright © 2005-2012 Splunk Inc. All rights reserved.