I know the "simplest" way is to stand up a second instance of Splunk and have completely different values for renderXml
and whitelist
between the two but this is not an option for us; I need a single-instance solution. We are planning on using renderXml
for most events because it has impeccible field extraction so we don't need to build that part. The problem is that the UAC transitions are not translated; we get an old UAC value and a new one and even then there appears to be at least 1 intractable problem with building our own UAC-transistion decoder macro
so we are planning not to do that. Instead we would like those events (e.g. EventCode 4738) to be sent in without renderXml
(or perhaps sent in both ways) so that we can access Window's plain-text interpretations of the transitions. It would be nice if I could just have multiple stanzas for [WinEventLog://Security]
but Splunk Universal Forwarders only act on the last one and will ignore all the other ones.
So here's my idea... put a filter on your security log that filters events of 4738 to another event log.
then mount that sucker in the windows event viewer and start monitoring it with the universal forwarder.
Seems like you could script it from here... Psuedo powershell code below:
get-eventlog | where { $_.eventCode -eq 4738 } | write-eventlog ...
Hopefully these are not super time critical events, so that you can write code to do this for you pretty quickly, and then schedule the code to run every hour or whatever...
So here's my idea... put a filter on your security log that filters events of 4738 to another event log.
then mount that sucker in the windows event viewer and start monitoring it with the universal forwarder.
Seems like you could script it from here... Psuedo powershell code below:
get-eventlog | where { $_.eventCode -eq 4738 } | write-eventlog ...
Hopefully these are not super time critical events, so that you can write code to do this for you pretty quickly, and then schedule the code to run every hour or whatever...
Are you looking to do this exclusively with universal forwarders or have you considered using a heavy forwarder to possibly do some per event parsing before it reaches the indexer?
Heavy Indexer is a viable option for us.