I am having difficulty filtering the Windows security logs. I have attempted to restrict the event IDs being sent but at the moment the entire security log is being indexed. Here is my currently deployed configuration. Any help would be greatly appreciated.
Inputs.conf
[WinEventLog:Security]
disabled=0
evt_resolve_ad_obj = 1
index = security
[WinEventLog:rDirectory]
disabled=0
Props.conf
[source::WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,setparsing2
Transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX=(?m)^EventCode=
(530|531|532|533|534|535|536|537|529|560|566|624|626|627|628|629|630|631|632|633|634|635|636|637|638|639|640|641|642|643|644|645|646|647|648|649|650|651|652|653|654|655|656|657|658|659|660|661|662|663|664|665|666|667|668|669|670|671|675|676|681|684|685|686|687|688|689|690|691|692|693|694|695|696|697|4625|4648|4656|4662|4706|4707|4713|4720|4723|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4738|4739|4740|4754|4755|4756|4757|4758|4767|4768|4771|4776|4780|4781|4786|4787|4788|4789|4790|4791|5136|5137)
DEST_KEY = queue
FORMAT = indexQueue
[setparsing2]
REGEX=(?m)^Accesses=
(ListAccounts|DELETE|WRITE_DAC|WRITE_OWNER|WritePreferences|WriteAccount|SetPassword)
DEST_KEY = queue
FORMAT = indexQueue
Any chance you are on splunk 6?
You can filter event codes at the forwarders now.
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata