Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remote Event Log (Windows) Filtering by EventCode not working

hughkelley
Path Finder
‎03-25-2011 03:33 AM

I know this question has been asked many times over, but I can't see how my .conf files are different than the working examples. I seem to be getting all EventCodes in my index.

Could someone please do a double-check here?

# apps/search/local/wmi.conf
#
[default]

[WMI:DC Event Logs]
disabled = 0
event_log_file =  Security
interval = 5
server = a-dc-01



# system/local/props.conf  (also tried putting this under search)
#
[source::WMI:WinEventLog:Security]
TRANSFORMS-WMISecurityLog = setWMISecurityLogRetain,setWMISecurityLogNull


# system/local/transforms.conf (also tried putting this under search)
#
[setWMISecurityLogNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setWMISecurityLogRetain]
REGEX = (?m)^EventCode=(4662|5136|5137|5138|5139|5141)\D
DEST_KEY = queue
FORMAT = indexQueue

I'm trying to limit the log entries to the IDs above but I'm getting many more EventCodes than I want.

EventCode count(EventCode)
--------- ----------------
 4662               44
 4735               38
 4768               84
 4769             2413
 4770               79
 4771               13
 4776              162
 5159             1870

Thanks in advance, Hugh

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 04:33 PM

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security]
disabled = 0
blacklist=566,800-850

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎12-31-2013 01:40 PM

see example :
Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-29-2011 12:49 PM

If you want to keep only the events listed in setWMISecurityLogRetain and drop the rest, please invert the order of your transforms.



TRANSFORMS-WMISecurityLog = setWMISecurityLogNull,setWMISecurityLogRetain

BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf
[wmi] in splunk 4.1
[WMI:WinEventLog:Security] in 4.2

please try then both, or use them both if you have a mix of forwarder's versions to cover them all.

Reply

hughkelley
Path Finder
‎03-29-2011 09:16 PM

I'm still exploring this theory, but it seems like

this doesn't match the events

[source::WMI:WinEventLog:Security]

but this does (specifying sourcetype, as opposed to source).

[WMI:WinEventLog:Security]

Does that sound right?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...