I would caution against this because as your environment grows you will likely need to start creating different apps that turn on specific inputs stanzas with specific event codes for sets of hosts.
SPLUNK GROUP BY APP WINDOWS
The first thing you need to do is find the nf file that is specifying your Windows Event Log stanzas–a lot of people put this in the local folder of the “Splunk_TA_Windows” and deploy the app to all of their Windows hosts.
SPLUNK GROUP BY APP CODE
For this reason, I would recommend doing your basic filters in the advanced filtering form so that you can easily expand in the future if needed (example in code block below). BEWARE: You can NOT mix basic and advanced formats under the same wineventlog stanza, this will break your ingestion for that log source. By “basic filtering” I’m referring to straightforward whitelists/blacklists that only filter on event codes. For many environments, you can get away with using only basic filtering. Now let’s talk about how we get started with filtering. This is something we consider to be a best practice and will be useful for more than just your Windows Event logs. The idea is that you’re going to split up your configuration into multiple apps in order to apply more granular configuration to the correct set of hosts. The above image shows how you should visualize this approach. As in the previous school of thought, you need to be careful not to miss important event codes. The other possibility is you have some complex requirements that make it necessary to juggle whitelists/blacklists to get what you want. Commonly happens when you didn’t follow one of the other two approaches. This is less of an approach and more of a reactionary configuration. When you use this method, you want to be careful you’re not missing precious logs that you forgot to whitelist. This method is going to require that you explicitly whitelist exactly what you want under each of your eventlog stanzas, and you are not going to be using any blacklists.
SPLUNK GROUP BY APP LICENSE
This is another common approach often used when you have a limited amount of license capacity to work with. Once you have your standard event code blacklist, you can hone in on specific events which aren’t useful and use advanced filtering techniques to drop those. To filter down you then configure blacklists to drop specific event codes that you do not need. So, the default behavior is to grab all event codes under that Event Log Channel. With this method you are never declaring a whitelist. This is the most common approach to working with Windows Event Logs, and it’s typically the easiest way to get your desired result. Deployment Strategies Give Me All the Events, Except Certain Ones This is going to give you more control over what data you’re bringing in and allow you to more easily manage what hosts send what data as your environment grows.Ĭombining these strategies will get you the most bang for your buck by optimizing your Windows event log data ingestion. Lastly, I will cover how you can structure your inputs deployment in a layered approach. The caveat being the inability to alter event text, so if you want to do that you still need to do this on the indexers (which I will go over as well). This means you can filter out data before it’s ever sent over the wire and save yourself from wasting precious bandwidth and compute cycles on your indexers. The primary benefit of whitelists/blacklists for Windows Event Logs is that we get to do the filter at the ingestion pipeline instead of at the typing pipeline, which is how filtering is traditionally handled in Splunk. This means you can combine whitelists/blacklists together to achieve a certain result (I.E, default allow all in X eventcode, but deny specific strings in X eventcode). You should also note that Splunk processes whitelists first, then blacklists. If you add a single whitelist statement, Splunk will only index events which match your whitelist for that particular input stanza and ignore the rest of the events. It’s important to understand that by default all event codes will be indexed if you do not specify a whitelist. You can default to allow all with explicit denies, default to deny all with explicit allows, or a hybrid of explicit allows/denies. Before we get started, you should consider a strategy for how you ingest your Windows event logs. In this tutorial, I’ll explain how you can do both of these things so you only bring in the data you need.
The answer to both of these questions is by leveraging the advanced filtering techniques at the input level and event routing at the indexing level. When working with Windows event logs in your Splunk environment it’s typical to come across two scenarios: How do I get rid of specific events that aren’t necessary for my use case? How do I trim off the duplicated text at the bottom of events that’s chewing up my license?
0 kommentar(er)
