Getting Data In

Transforms.conf and Props.conf to filter WMI security eventlog

ryanfarquhar
New Member

I have a brand new Splunk 5 installation I am trying to get working with some filtering.

Right now I have one remote event log I am pulling into Splunk. It is the Security log of a Domain Controller. I am trying to only index EventCodes 566 & 632 for now. Ultimately I will setup different props and transforms depending on the source and what I am trying to filter. But for now I would like to get these two event codes working.

So I have a props.conf file that looks like this:

[WMI:WinEventLog:Security]
TRANSFORM-evtLog = wmi-null,wmi-filter

And my transforms.conf file looks like this:

[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmi-filter]
REGEX = (?msi)^EventCode=(566|632)
DEST_KEY = queue
FORMAT = main

I have tried changing the Regex around in several different ways, but no matter what I try, nothing makes it to my index. If I remove the Null rule, I get everything from the log, so I know it is working, just not with the filter.

Any help would be greatly appreciated.

0 Karma

yannK
Splunk Employee
Splunk Employee

On which server are your props and transforms ?
They have to be on the indexers (or heavy forwarders if any) because they are the one parsing the events.
Not on the lightweight or universal forwarders.

also since Splunk 4.2, the stanza for props is likely to be
[WinEventLog:Security]

0 Karma

ryanfarquhar
New Member

Okay actually by changing the stanza from WMI:WinEventLog:Security to just WinEventLog:Security started showing entries because all the WMI stuff started coming in unfiltered. So it is definitely WMI:WinEventLog:Security showing up. Just can't figure out why it won't filter events correctly.

0 Karma

ryanfarquhar
New Member

Changing the stanza made it start indexing, but it was pulling in events other than those I specified. Does my RegEx look wrong? Not sure why it would be matching on other Event ID's as well.

0 Karma

ryanfarquhar
New Member

This is on the indexer. I will try modifying the stanza since I am using v5.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You've specified the null transformation to be executed before the filter transformation, any event is gone before it gets to the filter.

0 Karma

ryanfarquhar
New Member

After trying YannK's answer, it started indexing, but starting indexing everything not just the entries listed in Transforms.conf. Didn't seem to matter the order the rules were in.

0 Karma

ryanfarquhar
New Member

I have tried reversing the rules and same result. Nothing gets indexed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...