How to edit my configurations to filter event logs...

chefsplunk · ‎02-17-2017

Hi,

I am running 6.5.2 and using WMI to get Windows Event log data into Splunk. Currently I’m pulling in Application and System logs and trying to filter what I pull in/index. I’d like to not have informational logs pulled in. I’ve tried a number of different ways to do this but nothing seems to be working. All files I am modifying are in C:\Program Files\Splunk\etc\system\local. To test I am making changes to the files and then ‘searching’ for “| extract reload=t”. My search time is 1 minute but I don’t think that should matter for the purpose of reloading the files.

Inputs.conf

[WinEventLog:System]  (I’ve also tried [WinEventLog://System]  )
blacklist = Information
blacklist1 = 7036 (EventCode which I am trying to test on)

However, I’m not even sure inputs.conf can filter on event log info pulled in via WMI. From the inputs.conf docs under Windows Event Log Monitor section “Note: The WinEventLog stanza is for local systems only. To define event log monitor inputs for remote machines, use wmi.conf.” Can anyone confirm or deny this? wmi.conf doesn't seem to have any ability to filter like this. So I tried transforms and props.

transforms.conf

[setnulla]
REGEX=(?msi)^EventCode=(7036)
DEST_KEY=queue
FORMAT=nullQueue
I’ve also trued REGEX=Type=Information

props.conf

[WMI:wmiTest]
TRANSFORMS-set = setnulla

I’ve also tried [WMI:WinEventLog:System], [WMI:WinEventLog:*], [WinEventLog:System], and [WinEventLog:*]. However, nothing I change makes any difference. Any help would be greatly appreciated. I’ve looked at a number of posts, including:

https://answers.splunk.com/answers/91173/multiple-wmi-sources-in-props-conf.html

https://answers.splunk.com/answers/498277/how-to-filter-or-blacklist-all-event-typelevel-inf.html

https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

Thanks

martin_mueller · ‎02-20-2017

As per http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/inputsconf#Event_Log_whitelist_and_blacklist... (scroll up a tiny bit) you cannot mix the "list of event codes" format with the regular expression format.
Your blacklist should look something like this:

blacklist1 = EventCode=%^7036$%
blacklist2 = Type=%^Information$%

After making that change in inputs.conf and restarting Splunk you should see it affect data coming in from that point on, old data remains indexed as it was.

martin_mueller · ‎02-20-2017

Bottom line, last two chars are swapped... in my answer too 😄 oops...

chefsplunk · ‎02-22-2017

I'm starting to wonder if this is possible while gathering event logs via WMI. The inputs.conf docs say "Note: The WinEventLog stanza is for local systems only. To define event log
monitor inputs for remote machines, use wmi.conf." Unfortunately wmi.conf does not offer the filtering that is available in inputs.conf

chefsplunk · ‎02-20-2017

Thanks for your response. No luck. Since it seems you are suggesting this can be done with inputs.conf (which would be ideal) I made the changes you suggested, have commented out everything in props.conf and transforms.conf (just to sanity check # is a comment, right?), and restarted the splunk service (.\splunk.exe restart). My inputs.conf is:

[default]
host = splunk00

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog:System]
blacklist1 = EventCode=%^7036$%
blacklist2 = Type=%^Information%$

How to edit my configurations to filter event logs pulled in via WMI?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life