Hello,
I'm interested in installing universal forwarders (UF) on machines to ingest local security event logs into Splunk. However, I don't want every single security event log sent from the UFs to the heavy forwarder.
This leads to two questions:
1. Am I able to specify exactly which Event log IDs to send?
2. In addition to specifying Event Log IDs, can I get more granular and, for instance, send only Event ID 4732 logs (a member was added to a security-enabled group) but specify ONLY to send if it matches additional criteria — for members added to particular groups such as the local administrators group?
Hi @johann2017
Yes Its definitely possible to filter by IDs. I would recommend you have a quick read of this PDF from the experts at Aplura:
https://www.aplura.com/docs/SplunkWindowsEventLogs.pdf
It has some very good links to blacklists that you can use to filter the events and reduce your ingest.
All the best.
Hi @johann2017
Yes Its definitely possible to filter by IDs. I would recommend you have a quick read of this PDF from the experts at Aplura:
https://www.aplura.com/docs/SplunkWindowsEventLogs.pdf
It has some very good links to blacklists that you can use to filter the events and reduce your ingest.
All the best.
Thanks I think that will get me kickstarted!