Solved: Re: WinEventLog filtering EventCode

joshrabinowitz · ‎03-08-2011

I have a Splunk central indexer on rhel5.5 and a forwarder (not LWF) on a Server 2008 VM. Currently I am forwarding all of WinEventLog:Security, and want to not index EventCode=566.

props.conf

[WMI:WinEventLog:Security]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX ="(?m)^EventCode=566"
DEST_KEY = queue
FORMAT = nullQueue

Currently these files exist in $SPLUNK_HOME/etc/system/local on the indexer, but I am still seeing results for EventCode=566 in search.

What am I doing wrong?

yannK · ‎06-29-2011

BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf

[wmi] in splunk 4.1
[WMI:WinEventLog:Security] in 4.2

please try then both, or use them both if you have a mix of forwarder's versions to cover them all.

View solution in original post

yannK · ‎10-25-2013

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security] disabled = 0 blacklist=566,800-850

yannK · ‎06-29-2011

BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf

[wmi] in splunk 4.1
[WMI:WinEventLog:Security] in 4.2

please try then both, or use them both if you have a mix of forwarder's versions to cover them all.

gkanapathy · ‎03-08-2011

You shouldn't have the double-quotes (") around your REGEX, since they aren't in the data:

REGEX = (?m)^EventCode=566

WinEventLog filtering EventCode

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases