Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Collecting Windows eventlogs with whitelist based on word

ArsenyKapralov
Path Finder
‎07-26-2016 08:55 AM

Hi

I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword
I'm using following config for Splunk add-on for Windows, but this results in collecting all logs from server.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD
index = wineventlog
renderXml=false

How can I do this correctly?

0 Karma
Reply

ddrillic
Ultra Champion
‎07-31-2016 02:57 PM

You should be able to do it provided you have the event field name.
The syntax is -

whilelist = <list> | key=regex [key=regex]

You have so far -

whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD

Based on the doc you provided at Monitor Windows event log data
you need to identify the key -

alt text

Preview file
1 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2016 09:11 AM

Yes in this way you take all security eventlogs.
if you want not all logs but only the ones that contain specific words, you have to filter them using props.conf and transforms.conf on your indexer.
Bye.
Giuseppe

0 Karma
Reply

ArsenyKapralov
Path Finder
‎07-27-2016 01:18 AM

Yes, this is traditional way for doing this, but it impacts performance of indexers.

As I found in docs (http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata) I have ability to filter some logs on UF side and filter could be based on regex.
So my question is what am I doing wrong in my example and how to make it working?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-30-2016 09:33 AM

For my Splunk knowledge, Universal Forwarders don't parse logs, parsing is done by Heavy Forwarders and Indexers.

There are two ways to don't parse logs on the Indexer:

  • put an Heavy Forwarder between Universal Forwarders and Indexer and use it to filter logs,
  • get logs not directly from wineventlog but from a script that runs on the Universal Forwarder and writes the filtered logs in a file.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...