Once we forward security logs for windows event log using Universal forwarder from each servers to splunk server,
Can I forward only success logs?
You can use Whitelist stanza in your inputs.conf. You can add the keywords/event-codes that are part of the events you wish to capture.
Here is the doc link for detailed explanation.
Mitesh.
What you want to look at is using the whitelist and blacklist features within inputs.conf on the universal forwarder to only capture the specific Windows EventCode to meet your needs.
Details on the inputs configuration here: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...
Splunk blog post with real examples here: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
Can I control which part of file for forwarding only success security log of event viewer?
Can I setup on source server with installed universal forwarder or destination server (Splunk server)?
I want to know detail settings.