Hey all,
I am looking to change the sourcetype of events originating from the source = WinEventLog:Microsoft-Windows-Windows Defender/Operational logs that are coming in through the Forwarded Events log on one of our WEC's thats collected via UF.
I want to send them to their own index and have that unique sourcetype so I can use it with the TA-microsoft-windefender.
Is there way to configure the inputs to use the source to find then set the sourcetype and index?
Hi @adalbor,
From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf
: [WinEventLog://<name>]
And simply add the index
name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.
Let me know if this works out for you.
Cheers,
David
This is what I have so far, trying to test if it will work.
props.conf
[source::WinEventLog:Microsoft-Windows-Windows Defender/Operational]
TRANSFORMS-windef = win_defender_sourcetype,win_defender_index
transforms.conf
[win_defender_sourcetype]
REGEX = *
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::windows:defender
[win_defender_index]
REGEX = *
DEST_KEY = _MetaData:Index
FORMAT = ms_def
Have it on HF's and IDX's
The above didn't work and I tried changing the wildcard to a period and still nothing.
Anyone have any recommendations to make this work?
Hi @adalbor,
From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf
: [WinEventLog://<name>]
And simply add the index
name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.
Let me know if this works out for you.
Cheers,
David
Hey David,
I have the index specified for the monitoring stanza already.
I have Windows Security/System/WinDefender/Bitlocker events all going to the Forwarded Events on a WEC.
I was looking for a way to break out my WinDefender and Bitlocker events from that monitoring stanza by sourcetype and also put them in their own index.
The WEC that is collecting these events doesnt have WinDefender or Bitlocker installed so their respective log locations dont exist.
Thanks
Andrew
In that case since the data is already mixed up, the only way to split the results is to route it to a different index on the indexing layer, nothing to be done on the UF layer for Splitting it out :
https://answers.splunk.com/answers/50761/how-do-i-route-data-to-specific-index-based-on-a-field.html
Thank you!
Most welcome @adalbor, let me know if you need anything else and please accept the answer and upvote if it was helpful!
If your data has already been indexed there is not way to change the source type. You would need to delete it and reindex. Try this
Thanks for the input..not trying to re-index data though
Hi adalbor,
see https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Advancedsourcetypeoverrides
Anyway, try something like this:
[your_original_sourcetype]
REGEX = <your_regex>
FORMAT = sourcetype::<your_custom_sourcetype_value>
DEST_KEY = MetaData:Sourcetype
but remember that using the original TA_Windows you already have all the fields correctly defined, instead if you override it, you have to redefine all of them.
Bye.
Giuseppe
Is there a way to also send it to a unique index?
Thank you! Will give this a shot.