I'm trying to monitor a specific Windows Application EventCode (via a whitelist), yet the events are not being sent to Splunk.
I've found numerous posts on the answers site, most of them with different configs, but I've yet to find one that works. What's stated in the documentation (http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata#Create_advanced_fi...) does not work as specified.
I've tried both of these stanzas with no luck:
[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="^3000$"
[WinEventLog://Application]
disabled = 0
index = os_windows
whitelist = EventCode="3000"
I'm running v6.6.1. Any help would be appreciated.
Thanks.
You need to deploy these settings to your indexing server (usually your Indexer Tier but it could be your Heavy Forwarder).
You need to restart all Splunk instances there.
You need to verify it by checking ONLY events that have been indexed since the restart ( _index_earliest=-5m@m
or similar) because existing events will stay (you can use delete
to hide them).
The approach Giuseppe suggested is not one I'm exploring. I'm confident this can be done via a whitelist on the UF, not on the Indexers.
My answer is not "an approach"; it is a deployment and testing methodology regardless of what approach you do use. In other words, the problem is probably not in "your approach".
I don't think the quotes are needed (I don't see them in the actual Event Log details).
I've tried all of the following with no luck:
1. whitelist = EventCode=\"3000\"
2. whitelist = EventCode=3000
3. whitelist = EventCode=3000
The documentation is very straightforward as to how this should work. Very frustrating it doesn't function as advertised.
Hi ericlarsen,
at first verify if regex is correct using a simple searchç:
index=wineventlog | regex "EventCode=3000"
you should have only events with EvenCode=3000.
Sometimes EventCode is expressed as EventId and sometimes there are spaces.
If regex is correct I suggest to use a different approach to filter events: see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad and filter data before indexing.
I know that this requireme more bandwidht occupation but it's a sure method.
Bye.
Giuseppe
Thanks for the response.
I've verified that index=myIndex | regex "EventCode=3000" works in the search bar.
Are you suggesting using a HF to filter events before they're ingested?
Thanks.
No, in your indexers you can filter events following the URL I mentioned.
In other words, you have to insert in
props.conf
[WinEventLog:Security]
TRANSFORMS-set-3000=set_nullqueue,set_3000
transforms.conf
#discard
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
#take
[set_3000]
REGEX=EventCode\=3000
DEST_KEY = queue
FORMAT = indexQueue
In this way on sourcetype WinEventLog:Security you take only events with EventCode=3000
Bye.
Giuseppe
Hi ericlarsen,
in whitelist, you have to insert a regex not a string, try with
whitelist = EventCode\=\"3000\"
check if the message is effectively EventCode="3000", I'm not sure of brackets.
Bye.
Giuseppe