Current Splunk Enterprise Server Version: 6.2.1
Current Splunk Test Server Version: 6.5.0
Question: What is the proper way to filter windows log events that only deal with being type/level: Warning, Error, or Failure Audit for Application, Security, and System (I guess Failure Audit for security only), without simply filtering by eventcodes with white/blacklisting?
inputs.conf
[default]
host = SplunkMachine
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
blacklist1 = Type="^2Failure Audit"
blacklist2 = Type="^3Success Audit"
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
transforms.conf
[wminull]
REGEX=(?m)^Level=(1|2|5)
DEST_KEY=queue
FORMAT=nullQueue
props.conf
########## FILE MATCH CONDITIONS ##########
[source::...\\var\\log\\anaconda.syslog(.\d+)?]
sourcetype = anaconda_syslog
[source::...\\var\\log\\anaconda.log(.\d+)?]
sourcetype = anaconda
[source::...\\var\\log\\httpd\\error_log(.\d+)?]
sourcetype = apache_error
[source::...\\var\\log\\cups\\access_log(.\d+)?]
.
.
.
[WinEventLog:Application]
TRANSFORMS-wmi=wminull
[WinEventLog:Security]
TRANSFORMS-wmi=wminull
[WinEventLog:System]
TRANSFORMS-wmi=wminull
####### NON-LOG FILES
So I've tried a few combinations of just modifying the transforms.conf and inputs.conf and just props.conf. So far, my attempts have limited the amount of events that are indexed in Splunk, however according to documentation I should only modify the props and transform.conf. I suspect I'm missing some Regex remarks.
The whitelist/blacklist syntax is slightly different:
whitelist1 = Type=%^Error$%
whitelist2 = Type=%^Warning$%
...
Then you won't need any props/transforms nullqueue filtering at all.
Your syntax is off again:
whitelist = Type=%^[1-2]$%
With the change, still indexing events that are the Information type.
Before you do, decide on a blacklist or a whitelist, not both.
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
Still includes things other than what is whitelisted
The whitelist is enough, no need for a blacklist to state the same thing again.
Did you restart splunk and are only looking at data coming in after the restart?
I have restarted Splunk. It did index, but it still contained Information events. I am actually disabling the data input. Deleting the index. Modifying the config. Restart Splunk. Create the new Index and enable the data input with the appropriate index.
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type=%^Error$%
whitelist1 = Type=%^Warning$%
blacklist = Type=%^Information$%
This is what it I have changed it to following your answer. However, Application still seems to show information logs.
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
blacklist = Type="^[3]$"
Found out that Type is actually a numerical value. So I changed it to this. Now zero events are being index, so I must have something working, just syntax is wrong