How to configure Splunk to index only security eve...

pbrown1117 · ‎07-17-2014

Can Splunk be configured to index only security events (failed logins, authorization changes, etc) from Windows machines, and not performance information?

gnoellbn · ‎07-17-2014

Yes, you should use this in you inputs.conf file :

[WinEventLog://Security]
disabled = 0

We do the exact same thing, furthermore we sort out event number we don't need using event ID exctracted from :
http://support.microsoft.com/kb/977519

Here's what our transforms.conf looks like :

[grab]
REGEX =  (?msi).*EventCode=(4624|4634|4625|4740|4767|5143|4670|4670|4663|4670|4670|4660|4663|5143|4657|4720|4722|47239|4724|4738|4725|4726|4738|4727|4731|4728|4732|4729|4733|4730|4734|6144|4674|4674|4674|4608|4609|4610|4611|4612|4614|4616|528|538|540|529|682|531|551|537|539|552|4623|4672|4647|4648|560|562|4656|4658)
DEST_KEY = queue
FORMAT = indexQueue

somesoni2 · ‎07-17-2014

There are many posts for Windows event filtering. Have a look at them.

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

http://answers.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99...

How to configure Splunk to index only security events from Windows machines?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...