Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index=machine
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index=machine
Props.conf
[WinEventLog:Application]
TRANSFORMS-FilterEvents = Win_App_Log_FilterErrorEvents
[WinEventLog:System]
TRANSFORMS-FilterEvents = Win_Sys_Log_FilterErrorEvent
transform.conf
[Win_App_Log_FilterErrorEvents]
REGEX = (?ism)Type=Error|Critical
DEST_KEY = queue
FORMAT = nullQueue
[Win_Sys_Log_FilterErrorEvent]
REGEX = (?ism)Type=Error|Critical
DEST_KEY = queue
FORMAT = nullQueue
This is for the security event log
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141
index = labser_av_ads
I cant' see anything wrong with this.
See this answer for the indextime index routing.
http://answers.splunk.com/answers/76609/routing-window-system-logs-to-a-different-index
So what behavior are you seeing? BTW, why do you have [WinEventLog://Application]
instead of just [WinEventLog:Application]
? What's the "\\
" for?