Re: How to filter out WMI Windows events with blac...

feliz · ‎09-18-2014

Hello there!

We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:

props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf

[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue

We also tried from:

http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html

http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html

http://answers.splunk.com/answers/141136/how-to-filter-wmi-event-logs-using-blacklist-props-or-trans...

Any help would be much appreciated!

rdjoraev_splunk · ‎06-30-2015

As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

mfhuang_splunk · ‎09-18-2014

You should use [WMI:WinEventLog:Security] in props.conf

Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf

feliz · ‎09-19-2014

Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.

We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...

How to filter out WMI Windows events with blacklist in Splunk 6.1.3?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases