Filtering Windows logs on Splunk Forwarder

ageld · ‎04-05-2011

If I make configuration changes mentioned by Maverick, in http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev..., how do I send other logs/events to the same indexer. For example, how would I send DHCP logs, WindowsUpdate logs, WMI stuff? Do I have to tweak props.conf, transforms.conf, output.conf for every log? Also, which application should I make the changes to props.conf, transforms.conf, and output.conf? I tried to do it under F:\Program Files\Splunk\etc\apps\SplunkForwarder\, but it did not make a difference. No events appeared on the idexer

jgauthier · ‎04-05-2011

On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc)

If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer.

If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field.

On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype.

Filtering Windows logs on Splunk Forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!