I want to forward specific events from the Security log on a Windows server to my full Splunk install. I've looked through a lot of the posted documentation but can't figure out how to get the Universal forwarder to start forwarding. I then want to provide a list of Event ID numbers to whitelist to be sent to my server running Splunk.
You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata
For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.
You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:
For event level routing/filtering and forwarding require the a Heavy forwarder if want to compish this from FW.
You'll want to review this section of the documentation for configuring inputs.conf to pull security logs:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorwindowsdata
For getting the security logs, it's an on or off thing, you can't configure it at the forwarder level to send event x and y, but not z.
You'll need to send all of the data to the indexer and then route the data you don't want to the nullQueue. To learn more about doing that, and to see specific examples, this is the section of the documentation you should review:
Within you props.conf try the following.
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
This should send events with EventCodes 4634 and 4624 to the indexer while sending all others to null queue. With only one transform stanza defined setnull define in you props you are send all events to the nullQueue.
anybody have an idea of what I need to fix?
Thanks for the response. I was able to get Security events to forward but wasn't able to get filtering to work. I think I'm pretty close but maybe have a typo or something missing.
Here's what I have configured.
inputs.conf
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
props.conf
[WinEventLog:Security]
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?m)^EventCode=(4634|4624)
DEST_KEY = queue
FORMAT = indexQueue
Thanks.