Filter Widows Security Events: 5145

rfrazier · ‎06-01-2015

I am trying to filter Windows:Security:Events: 5145. I created the props.conf and the transforms.conf file listed below. I have it in a app called all_indexers which gets push to all indexers. The props.conf and the transforms.conf files are in the /all_indexers/local/ directory on each of the indexers. Some thing is amiss, but I can't seem to find it.

Contents of the transforms.conf

Filter Widows Security Events: 5145

[nullFilter-5145]
REGEX=(EventCode=5145)
DEST_KEY=queue
FORMAT=nullQueue

Contents of the props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullQ=nullFilter-5145

bohrasaurabh · ‎06-01-2015

in props.conf try stanza as

[source::*:Security]

in transforms you might have to change REGEX as

REGEX = (EventCode)=(5145)

rfrazier · ‎06-02-2015

I made the changes to transforms.conf and props.conf. These conf files are in $SPLUNKHOME/etc/apps/all_indexers/local.

Should these files be in $SPLUNKHOME/etc/system/local/ on each of the indexers instead?

bohrasaurabh · ‎06-02-2015

This should be actually done within the Windows TA's local directory and then deployed to all Index servers. The location on the index server should be $SPLUNKHOME/etc/apps/{Windows_TA_NAME}/local.

If you have deployment server, then use that to deploy.

How do you filter Windows:Security:Events: 5145 using use transforms.conf and props.conf?

Filter Widows Security Events: 5145

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes