Solved: Filtering Windows Application and Security events

MBerikcurtis · ‎09-12-2011

I've been filtering Windows Security events for a while now without any issue by using:

props.conf

[WMI:WinEventLog:Security]

TRANSFORMS-wmi=wmisecnull

transforms.conf

[wmisecnull]

REGEX=(?m)^EventCode=(8|33|674|916|4770|5145|5157|4688|4689)

DEST_KEY=queue

FORMAT=nullQueue

then I made these edits

props.conf

[WMI:WinEventLog:Security]

TRANSFORMS-wmi=wmisecnull

WMI:WinEventLog:Application]

TRANSFORMS-wmi=wmiappnull

transforms.conf

[wmisecnull]

REGEX=(?m)^EventCode=(8|33|674|916|4770|5145|5157|4688|4689)

DEST_KEY=queue

FORMAT=nullQueue

[wmiappnull]

REGEX=(?m)^EventCode=(916)

DEST_KEY=queue

FORMAT=nullQueue

after these edits, the events that used to be filter are nolonger filtered.

MarioM · ‎09-13-2011

the opening "[" is missing at WMI:WinEventLog:Application,is it what you have in conf file or it's only typo in your post?

As well i would change its TRANSFORMS-wmi= for TRANSFORMS-wmiapp= just to be sure there is no conflict with first one.

View solution in original post

jsdao · ‎10-11-2012

Can you have multiple regex under on stanza or do i have to make a one to one relationship between props and transforms even if the source type and action are the same.

MarioM · ‎09-13-2011

the opening "[" is missing at WMI:WinEventLog:Application,is it what you have in conf file or it's only typo in your post?

As well i would change its TRANSFORMS-wmi= for TRANSFORMS-wmiapp= just to be sure there is no conflict with first one.

MBerikcurtis · ‎09-13-2011

once I put in the missing[ the world started spinning again!

Filtering Windows Application and Security events

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes