Getting Data In

WMI: filter remote Eventlogs by Host Groups

Daniel
Explorer

I would like to know wether it is possible to filter remote windows eventlog based on the groups inside wmi.conf. I have a forwarder on a windows host, sending its messages to a linux box. I defined a group server and a group active directory server.

I want all Security Eventlogs from the active directory group but only "Audit fails" from the other server group. EventCode 697 should never be forwarded.

Filtering all is easy: props.conf

[wmi]
TRANSFORMS_wmi=wminull

transforms.conf:

[wminull]
REGEX = (?m)^(EventCode=697|Type=Audit Success|Type=Success Audit)
DEST_KEY = queue
FORMAT = nullQueue

Filtering should be placed on the forwarder for licensing reasons. Anyone has an idea how to to this?

Thanks in advance.

Tags (3)
0 Karma
1 Solution

Daniel
Explorer

Finally I created two regex´ and defined the host twice..

[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue

[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue

Not very splunk, but works.

View solution in original post

0 Karma

Daniel
Explorer

Finally I created two regex´ and defined the host twice..

[wmi_non_ad_697_lf]
REGEX = (?msi)ComputerName=(?!hosta|hostb).+?(EventCode=697|Type=Audit Success|Type=Success Audit|Type=.berwachung erfolgreich)
DEST_KEY = queue
FORMAT = nullQueue

[wmi_ad_697_lf]
# Alle AD Server mit EventCode 697 fliegen raus
REGEX = (?msi)ComputerName=(?=hosta|hostb).+?(EventCode=697)
DEST_KEY = queue
FORMAT = nullQueue

Not very splunk, but works.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I am not sure what you mean by a "group" in wmi.conf? You mean different stanzas? If so, they will have different names, and you can filter on wmi_type=StanzaNameWithoutWMIPrefix.

However, I wonder if you have complicated this or basically, made things a lot more difficult for yourself by creating a different stanza for the same logs. It would be a lot better to filter on the host name, or report after the fact than to have a different sourcetype/source for WinEventLog:Security logs.

Whether filtering occurs on the forwarder or the indexer has no effect on licensing. Transforms must occur where parsing occurs. (Here.) If the forwarder is a Light Forwarder, parsing occurs on the indexer, and therefore the transforms and configuration must be set on the indexer.

0 Karma

Daniel
Explorer

wmi_type is set to WinEventLog:Security - no way to filter on my stanza. I would say I have different stanzas for nearly each log type. I have one stanza with three log files and another one with nine. The only thing is that I want to have all security logs from the second stanza and only failures from the first. I think I´m confused about stanzas and possible keys in the config files.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I really recommend you have a different stanza for each log type, because I am pretty sure there is nothing else in the data that would indicate which file a particular log came from.

0 Karma

Daniel
Explorer

ugly formatted..
I´ll try the wmi_type - thank you!

0 Karma

Daniel
Explorer

I think I mean different stanzas:
[WMI:Servers]
Disabled=0
event_log_file = Application, Security, System
interval = 5
server = hostA,hostB...
[WMI:AD]
disabled = 0
event_log_file = DFS Replication, Directory Service, DNS Server, File Replication Service, HardwareEvents, Key Management Service, Security, System, Application
interval = 5
server = HostF, HostG...

As I habe to define the hostname in wmi.conf I thought I can use this definition soewhere else. So I need to filter by hostname but I want to define the hostname only once and not in several files.
The forwarder is not the light one.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...