Getting Data In

What is the best way to filter WMI Event Logs by type without just whitelisting or blacklisting?

mgrimes
New Member

Current Splunk Enterprise Server Version: 6.2.1

Current Splunk Test Server Version: 6.5.0

Question: What is the proper way to filter windows log events that only deal with being type/level: Warning, Error, or Failure Audit for Application, Security, and System (I guess Failure Audit for security only), without simply filtering by eventcodes with white/blacklisting?

inputs.conf

[default]
host = SplunkMachine

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information" 
blacklist1 = Type="^2Failure Audit" 
blacklist2 = Type="^3Success Audit"

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error" 
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"

transforms.conf

[wminull]
REGEX=(?m)^Level=(1|2|5)
DEST_KEY=queue
FORMAT=nullQueue

props.conf

########## FILE MATCH CONDITIONS ##########
[source::...\\var\\log\\anaconda.syslog(.\d+)?]
sourcetype = anaconda_syslog

[source::...\\var\\log\\anaconda.log(.\d+)?]
sourcetype = anaconda 

[source::...\\var\\log\\httpd\\error_log(.\d+)?]
sourcetype = apache_error 

[source::...\\var\\log\\cups\\access_log(.\d+)?]
.
.
.
[WinEventLog:Application]
TRANSFORMS-wmi=wminull

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

[WinEventLog:System]
TRANSFORMS-wmi=wminull


####### NON-LOG FILES

So I've tried a few combinations of just modifying the transforms.conf and inputs.conf and just props.conf. So far, my attempts have limited the amount of events that are indexed in Splunk, however according to documentation I should only modify the props and transform.conf. I suspect I'm missing some Regex remarks.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The whitelist/blacklist syntax is slightly different:

whitelist1 = Type=%^Error$%
whitelist2 = Type=%^Warning$%
...

Then you won't need any props/transforms nullqueue filtering at all.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your syntax is off again:

whitelist = Type=%^[1-2]$%
0 Karma

mgrimes
New Member

With the change, still indexing events that are the Information type.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Before you do, decide on a blacklist or a whitelist, not both.

0 Karma

mgrimes
New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"

Still includes things other than what is whitelisted

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The whitelist is enough, no need for a blacklist to state the same thing again.

Did you restart splunk and are only looking at data coming in after the restart?

0 Karma

mgrimes
New Member

I have restarted Splunk. It did index, but it still contained Information events. I am actually disabling the data input. Deleting the index. Modifying the config. Restart Splunk. Create the new Index and enable the data input with the appropriate index.

0 Karma

mgrimes
New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type=%^Error$%
whitelist1 = Type=%^Warning$%
blacklist = Type=%^Information$%

This is what it I have changed it to following your answer. However, Application still seems to show information logs.

0 Karma

mgrimes
New Member
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
blacklist = Type="^[3]$"

Found out that Type is actually a numerical value. So I changed it to this. Now zero events are being index, so I must have something working, just syntax is wrong

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...