Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transforms.conf and Props.conf to filter WMI security eventlog

ryanfarquhar
New Member
‎11-12-2012 06:21 AM

I have a brand new Splunk 5 installation I am trying to get working with some filtering.

Right now I have one remote event log I am pulling into Splunk. It is the Security log of a Domain Controller. I am trying to only index EventCodes 566 & 632 for now. Ultimately I will setup different props and transforms depending on the source and what I am trying to filter. But for now I would like to get these two event codes working.

So I have a props.conf file that looks like this:

[WMI:WinEventLog:Security]
TRANSFORM-evtLog = wmi-null,wmi-filter

And my transforms.conf file looks like this:

[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmi-filter]
REGEX = (?msi)^EventCode=(566|632)
DEST_KEY = queue
FORMAT = main

I have tried changing the Regex around in several different ways, but no matter what I try, nothing makes it to my index. If I remove the Null rule, I get everything from the log, so I know it is working, just not with the filter.

Any help would be greatly appreciated.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-12-2012 08:50 AM

On which server are your props and transforms ?
They have to be on the indexers (or heavy forwarders if any) because they are the one parsing the events.
Not on the lightweight or universal forwarders.

also since Splunk 4.2, the stanza for props is likely to be
[WinEventLog:Security]

0 Karma
Reply

ryanfarquhar
New Member
‎11-12-2012 11:33 AM

Okay actually by changing the stanza from WMI:WinEventLog:Security to just WinEventLog:Security started showing entries because all the WMI stuff started coming in unfiltered. So it is definitely WMI:WinEventLog:Security showing up. Just can't figure out why it won't filter events correctly.

0 Karma
Reply

ryanfarquhar
New Member
‎11-12-2012 11:11 AM

Changing the stanza made it start indexing, but it was pulling in events other than those I specified. Does my RegEx look wrong? Not sure why it would be matching on other Event ID's as well.

0 Karma
Reply

ryanfarquhar
New Member
‎11-12-2012 11:03 AM

This is on the indexer. I will try modifying the stanza since I am using v5.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-12-2012 07:42 AM

You've specified the null transformation to be executed before the filter transformation, any event is gone before it gets to the filter.

0 Karma
Reply

ryanfarquhar
New Member
‎11-12-2012 11:11 AM

After trying YannK's answer, it started indexing, but starting indexing everything not just the entries listed in Transforms.conf. Didn't seem to matter the order the rules were in.

0 Karma
Reply

ryanfarquhar
New Member
‎11-12-2012 11:03 AM

I have tried reversing the rules and same result. Nothing gets indexed.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...