Solved: Windows monitor security only 4624 ID

lantuin · ‎12-13-2011

Hello,
I've got a little problem. I would like to monitor security events from remote machine, but ONLY 4624 events (RDP Login). I mean that splunk server have to collect and index only ID 4624 events. Is it possible?

Thank you very much

lantuin · ‎12-13-2011

Now it's ok!!!!!

props.conf

[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing

transforms.conf

[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

lantuin · ‎12-13-2011

Now it's ok!!!!!

props.conf

[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing

transforms.conf

[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

MHibbin · ‎12-13-2011

GREAT! Happy to help

Drainy · ‎12-13-2011

Good answer!

MHibbin · ‎12-13-2011

lantuin,

The following Splunk documentation should be able to assist you with this setup... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_WMI_events.

The following splunk base question may also be of use, as it has a working solution... http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs.

I believe this should answer you question.

If this does answer you question, please mark this question as answered to help the community.

Regards,

Matt

MHibbin · ‎12-13-2011

... for example...

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-security= events-null, events-filter

transforms.conf:

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue

MHibbin · ‎12-13-2011

When you said... "I try to change Format to IndexQueue" ...

Is this how you used the index queue (i.e. IndexQueue, as stated above). I believe this should be indexQueue?

Apologies if you have done this, it is most probably case sensitive.

lantuin · ‎12-13-2011

Yes Ayn, they're coming after I made these changes and "WMI:WinEventLog:Security" is the right sourcetype.

Ayn · ‎12-13-2011

OK. And you can see for sure that this is not being applied to events coming in after you've made these changes? The events that are already in the index won't go away, but new ones should be filtered.

Is "WMI:WinEventLog:Security" the sourcetype you're looking to apply this filter to?

lantuin · ‎12-13-2011

Yes, of course!

Ayn · ‎12-13-2011

Did you restart Splunk after making these changes?

lantuin · ‎12-13-2011

I try to change Format to IndexQueue

lantuin · ‎12-13-2011

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf:

[wminull]
REGEX=(?m)^EventCode=(4624)
DEST_KEY=queue
FORMAT=nullQueue

MHibbin · ‎12-13-2011

Can you include an example of you props.conf and transforms.conf.

I think possibly you are sending the events to a nullqueue (as shown in the Windows example of the link above, but not another queue, as shown i other examples.

lantuin · ‎12-13-2011

Yes, I'm doing this but without result. Changes have not effect, I receive other eventcode than 4624

MHibbin · ‎12-13-2011

Have you restarted your Splunk services after making the changes to the props/transforms.conf files?

MHibbin · ‎12-13-2011

You should edit a file called transforms.conf via a shell/command line session. The file should be located in one of the following locations (you may need to create this if it does not exist.

$SPLUNK_HOME/etc/apps//local/transforms.conf (preferable)
$SPLUNK_HOME/etc/apps//default/transforms.conf
$SPLUNK_HOME/etc/system/local/transforms.conf

lantuin · ‎12-13-2011

I'm sorry, I'm not so expert 😞 I mean:

splunk > Manager > Fields > Transforms

Ayn · ‎12-13-2011

What do you mean "by GUI"?

lantuin · ‎12-13-2011

I've got some problems 😞 If I try to insert this directive by GUI, splunk says to me:

In handler 'transforms-extract': Invalid FORMAT: indexQueue (for events-filter)

In handler 'transforms-extract': Invalid FORMAT: nullQueue (for events-null and events-null3)

lantuin · ‎12-13-2011

Yes, of course!

Windows monitor security only 4624 ID

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes