Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our DMZ Universal Forwarders to DC in the DMZ (IP=205.x.x.x) and point anything else to our internal DC? I know you can whitelist files and host using REGEX, but what about IP? or with REGEX of IP? I would rather not have to adjust or keep a list of what servers are in DMZ and update list as they are added and removed.
[WinEventLog://Security]
whitelist=205.*
evt_dc_name = app-ldap-servers.domainname.com
[WinEventLog://Security]
blacklist=205.*
evt_dc_name = internal-app-ldap-servers.domainname.com
No, you cannot; whenever you duplicate any WinEventLog
stanza, the last one has precedence and all earlier stanzas are completely ignored. You have 2 options: you can stand up 2 instances of Splunk on the forwarder and configure each one with one of the stanzas (this is really not a big deal and works great) or you can carve out one set of events and send them to a logfile using Windows tools and Splunk that logfile. This answer discusses the latter solution:
http://answers.splunk.com/answers/314099/for-wineventlogsecurity-how-to-use-renderxmltrue-f-1.html