Hello,
I am a new user Splunk.
I recovered the logs security events log of Windows (the audit access to objects).
Is it possible to specify what type of event is sent to the recipient by the universal forwarder with keywords.
example:
03/21/2013 10:06:23 AM AM ...
26 lines omitted ..
Information on access request:
Access Mask: 0x10080
Access: DELETE
ReadAttributes
In this example, recover only the events with the access to "DELETE".
Thank you.
Hello, I actually read the documentation but I have not found a mask element corresponding to the event windows.
these lines could match but it must be placed in the inputs.conf or output.conf the forwarder?
[WinEventLog: Security]
disabled = 0
start_from = newest
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
checkpointInterval = 5
Is it possible to add a line that matches a element "access" an entry in the event of Journal?
Yes. You can filter events on the indexer. There are loads of questions on this on splunkbase, so I recommend you look around. Also the docs section regarding filtering events is here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events...