I installed a Splunk (Heavy Forwarder) in my Windows 2007 Std SP1 FILE SERVER.
Installed, too, Windows APPs.
I configured it to forward to my Splunk Index Server and this FILESERVER is forwarding correctly (I can see SECURITY events in search app of my Splunk Server).
I would like to >NOT< send WMI secutiry events with Event ID 4673 and 4658 and, for this I made:
1) Inside C:\Program Files\Splunk\etc\apps\windows\default\props.conf
I inserted
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
2) Inside C:\Program Files\Splunk\etc\apps\windows\default\transform.conf
[wminull]
REGEX=(?m)^EventCode=(4673|4658)
DEST_KEY=queue
FORMAT=nullQueue
After this I re-started this FileServer service and tried to check splunk server but this events 4673 and 4658 still being collected from this server.
Is this regex wrong ?
Thanks !!!!!!!
The regex seems fine but I would recommend that you do NOT edit anything in the C:\Program Files\Splunk\etc\system\default
directory. Instead, try creating a props.conf
and a transforms.conf
in C:\Program Files\Splunk\etc\system\local
and try again. Also, try changing stanza headers as per below to reflect correct sourcetype.
C:\Program Files\Splunk\etc\system\local\props.conf
[WinEventLog:Security]
TRANSFORMS-wmi=wminull
C:\Program Files\Splunk\etc\system\local\transforms.conf
[wminull]
REGEX=(?mi)EventCode=(4673|4658)
DEST_KEY=queue
FORMAT=nullQueue
Notice, that I changed the regex slightly - it should not matter - AND i change the stanza header for the sourcetype in props.conf.
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
mgaleti, please accept answer and upvote so that other community members can find it useful. Thanks.
Great !!!! Thanks ! Worked fine,