Hi
I need to collect all Windows security logs from my infrastructure with Splunk UF installed which include specific Keyword
I'm using following config for Splunk add-on for Windows, but this results in collecting all logs from server.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD
index = wineventlog
renderXml=false
How can I do this correctly?
You should be able to do it provided you have the event field name.
The syntax is -
whilelist = <list> | key=regex [key=regex]
You have so far -
whitelist1 = (?msi)^Workstation\s+Name\:\s+KEYWORD
Based on the doc you provided at Monitor Windows event log data
you need to identify the key -
Yes in this way you take all security eventlogs.
if you want not all logs but only the ones that contain specific words, you have to filter them using props.conf and transforms.conf on your indexer.
Bye.
Giuseppe
Yes, this is traditional way for doing this, but it impacts performance of indexers.
As I found in docs (http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata) I have ability to filter some logs on UF side and filter could be based on regex.
So my question is what am I doing wrong in my example and how to make it working?
For my Splunk knowledge, Universal Forwarders don't parse logs, parsing is done by Heavy Forwarders and Indexers.
There are two ways to don't parse logs on the Indexer:
Bye.
Giuseppe