So I have read many of the posts here regarding Window Event Collection and Splunk. So far I have not been able to find what I'm looking for, which is probably pretty basic stuff, but I haven't been able to get Splunk to do what I need.
Here are my questions:
How do I get Splunk to override the host with the computername? I have tried setting this up in props and transforms on my Indexer(not the WE Collector server running the Universal Forwarder). I copied the props and transforms to /splunk/etc/system/local and edited those, as per the warning in the files. I assume that is the correct location for those files. I have tried both of these(one at a time) and neither worked.
Am I supposed to be setting this up on the indexer or on the WEC server where the Forwarder is installed?
[WinEventLog:*]
TRANSFORMS-change_host =
WinEventHostOverride
[(?:::){0}WinEventLog:...]
TRANSFORMS-FixWinEventLogHost =
WinEventLog-SetForwarderName,WinEventLog-SetOriginatingHost
When my WEC server receives security events from various Windows boxes, those events get forwarded to Splunk, however, they show up as coming from the WEC server, not from the individual computername.
Is it possible to get the Universal Forwarder to NOT FORWARD all of its Metrics info, etc; When I do a search in Splunk for things from my WEC server I see page after page of this.
When I install the Forwarder, should I be selecting "Forwarded Events" and "Security Events" or just one or the other? I only want Security Events, however, they are forwarded from other systems.
Thanks for any assistance!
... View more