Hi,
Running a trial of splunk 4.2 on windows 2008, attempting to filter before entering the index queue. Objective to "account management" security events and drop all other events.
The only data to enter index is
source="WMI:WinEventLog:Security" CategoryString="Account Management"
I have created props.conf and transforms.conf in C:\Program Files\Splunk\etc\system\local tried a few different combinations, but so far no progress.
props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = wmi-filter,wmi-null`
transforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue[wmi-filter]
REGEX=(?msi)^(CategoryString=Account Management)
DEST_KEY = queue
FORMAT = indexQueue
welcome some guidance, thanks
Android,
The issue could be with props.conf above. If your data is being indexed as WMI:WinEventLog:Security, your <spec>
stanza within props.conf should reflect:
## props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-null,wmi-filter
UPDATE: For TRANSFORMS you want to place your catch all as the first property to run.
[wmi-filter28SecGrp]
REGEX=(?msi)^(CategoryString=Security Group Management)
DEST_KEY = queue
FORMAT = indexQueue[wmi-filter28DlGrp]
REGEX=(?msi)^(CategoryString=Distribution Group Management)
DEST_KEY = queue
FORMAT = indexQueue
If it helps, this is pretty much my final for auditing changes to active directory
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-null,wmi-filter,wmi-filter28user,wmi-filter28SecGrp,wmi-filter28DlGrptransforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX=(?msi)^(CategoryString=Account Management)
DEST_KEY = queue
FORMAT = indexQueue
[wmi-filter28user]
REGEX=(?msi)^(CategoryString=User Account Management)
DEST_KEY = queue
FORMAT = indexQueue
trying out
[source::(?-i)WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-filter,wmi-null
Android,
The issue could be with props.conf above. If your data is being indexed as WMI:WinEventLog:Security, your <spec>
stanza within props.conf should reflect:
## props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-null,wmi-filter
UPDATE: For TRANSFORMS you want to place your catch all as the first property to run.
okay... just tried:
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-evtlog = wmi-null,wmi-filter
and it is working!.. which is very confusing. I did swap the tranforms around, but still.
thank you.
unfortunately this change has still has not had the desired outcome, all of the eventlog is till coming thru. Thanks for your assistance.