I have a DC that forwards a huge amount of wineventlog:Security events to my indexer. I want to configure the forwarder so that it won't forward events that have an EventCode value I specify. I.E. EventCode 5156
What would be the best way of going about this? Has anybody already done something similar, and if so, what would you suggest to be a less important EventCode?
Splunk is actually running on the DC? Are you using a Lightweight or heavyweight forwarder?
You can use nullQueue
to drop the events, but IIRC you will need to run as a heavyweight forwarder. Otherwise, you would need to filter at the indexer.
Take a look at this thread:
http://answers.splunk.com/questions/6179/wmi-filter-remote-eventlogs-by-host-groups
Since you said you were using an LWF, make these changes on your indexer. Configure a transform to match the traffic you want to discard.
# transforms.conf
[drop-noise]
REGEX=(?ms)host=noisyhostname.*?EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
Then enable the transform in props.conf
:
# props.conf
[source://xxx]
TRANSFORMS-dropnoise = drop-noise
Note - I don't use LWF, so the regex may not be quite right. I would favor using "host=" over "ComputerName=" if it works, on the premise that it would be Splunk-assigned rather than part of the message body, but I'm not 100% sure host is valid here.
Splunk is actually running on the DC? Are you using a Lightweight or heavyweight forwarder?
You can use nullQueue
to drop the events, but IIRC you will need to run as a heavyweight forwarder. Otherwise, you would need to filter at the indexer.
Take a look at this thread:
http://answers.splunk.com/questions/6179/wmi-filter-remote-eventlogs-by-host-groups
Since you said you were using an LWF, make these changes on your indexer. Configure a transform to match the traffic you want to discard.
# transforms.conf
[drop-noise]
REGEX=(?ms)host=noisyhostname.*?EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
Then enable the transform in props.conf
:
# props.conf
[source://xxx]
TRANSFORMS-dropnoise = drop-noise
Note - I don't use LWF, so the regex may not be quite right. I would favor using "host=" over "ComputerName=" if it works, on the premise that it would be Splunk-assigned rather than part of the message body, but I'm not 100% sure host is valid here.
See edits above and reference to previous question.
now that I think on it I believe it is a lightweight forwarder. So I can't filter out specific events before they get sent across? How could I configure the indexer to filter a specific eventtype from a specific host?