topic Re: windows Event filtering in All Apps and Add-ons

windows Event filtering

AKG — Mon, 28 Sep 2020 14:48:39 GMT

We are trying to discard some noisy events from a windows server with specific event ID and wanted to do this from index server(not from forwarder).

we are not sure if we can use the conditional statement on transforms.conf file? I have following sample file and will appreciate if you could help us

I have copied relevant stanza from /default to /local and created two files as below

/local/props.conf
[wmi]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+---splunk-wmi-end-of-event---\r\n[\r\n]*)
CHARSET = UTF-8
TRANSFORMS-wmi=wminull

/local/transforms.conf
[wminull]
REGEX = (?m)ComputerName=(hostname)
DEST_KEY = MetaData:Host
FORMAT = host::$1

---where do i put event ID?--------

Thank you

Re: windows Event filtering

lukejadamec — Thu, 19 Sep 2013 02:20:27 GMT

This is very easy to do. But, we need more information.
Which events would you like to drop?

Re: windows Event filtering

AKG — Thu, 19 Sep 2013 02:24:39 GMT

Hi Luke Thanks for the reply

event ID:- 4776
logon account:- dms-user
Server Name :- dms-server

Thank you

Re: windows Event filtering

lukejadamec — Thu, 19 Sep 2013 02:44:43 GMT

How funny is that, not one field but 3. It's still easy, but it will take a little time. Unfortunately, it is bed time for me.
What you're looking to do is to drop a particular event, and the solution will be based on the answer to this post:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-universal-forwarder
As you can see, the regex will need to be modified to include the multiple field values you've specified.
If it is not already done by the time I wake up, I'll give you a solution in the morning.

Re: windows Event filtering

AKG — Thu, 19 Sep 2013 03:34:07 GMT

Ya we are also trying to make sure all those three conditions are true(AND condition rather Than Or) before we drop the event.

Thank you

Re: windows Event filtering

lukejadamec — Thu, 19 Sep 2013 13:05:05 GMT

This should work for you:

props.conf

     [source::wineventlog:security]
     TRANSFORMS-drop = delFilter

transforms.conf

    [delFilter]
    REGEX = (?msi)^EventCode=4776\D.*^Logon\s+Account:\s+dms-user.*^Source\s+Workstation:\s+dms-server
    DEST_KEY = queue
    FORMAT = nullQueue

You will notice that I changed your Server Name to Source Workstation because the EventCode 4776 does not have a Server Name field. If you meant Computer Name, then that would need to get inserted between Event Code and Logon Account. Like this:

[delFilter]
        REGEX = (?msi)^EventCode=4776\D.*^ComputerName=dms-server.*^Logon\s+Account:\s+dms-user
        DEST_KEY = queue
        FORMAT = nullQueue

Good questions.

1) Yes, they need to be created on the indexer unless there is a heavy forwarder in between the source and indexer – in which case they might need to go on the forwarder depending on whether or not the heavy forwarder is ‘cooking’ data.

2) For props.conf and transforms.conf, you may have other entries, but be careful that they don’t conflict with the entries for this filter.

3) WMI inputs and monitoring Windows Eventlogs are two different animals.

a. The_wolverine says that the source needs to be specified as wmi for wmi data, but can be the standard wineventlog:security for monitoring of event logs. But, that was an old post, so perhaps things have changed. You can read the post for yourself
here:

http://answers.splunk.com/answers/3239/try-to-route-certain-wmi-events-to-nullqueue

b. What this means is that for the props.conf [source::wineventlog:security] you might need to change it to [wmi].

I can’t test this until tomorrow.

Re: windows Event filtering

AKG — Thu, 19 Sep 2013 23:39:07 GMT

Hi Luke

Thanks for the answer and you are right I meant Computer-Name not server name.

I didn't quite understand why s+Workstation:\s+dms-server needed if we just want to validate against three conditions(as above).

so which one would be right one?

REGEX = (?msi)^EventCode=4776\ComputerName=dms-server\D.^Logon\s+Account:\s+dms-user.^Source\s+Workstation:\s+dms-server

REGEX = (?msi)^EventCode=4776\ComputerName=dms-server\D.^Logon\s+Account:\s+dms-user.^Source

Thank you again.

Re: windows Event filtering

lukejadamec — Thu, 19 Sep 2013 23:50:14 GMT

As you can see, putting code in comments is hard because the system strips out special characters. I'll update the answer to use ComputerName shortly.

Re: windows Event filtering

lukejadamec — Fri, 20 Sep 2013 00:14:39 GMT

You don't need Source Workstation if you need ComputerName instead. I updated the answer with the code.

Re: windows Event filtering

AKG — Fri, 20 Sep 2013 01:15:51 GMT

Thanks for that and appreciated it

Let me confirm few things and please correct me if i am doing something wrong

1) Create two files (props.conf and transforms.conf)on index server(not on forwarder).
2) Two files doesn't have any other contains apart from above lines(of course with appropriate names).

How do we differentiate source type to be WMI or windowsEventlog?

Thank you

Re: windows Event filtering

AKG — Fri, 20 Sep 2013 01:45:46 GMT

Thanks Luke

All done its working now. I had to change the source in props.conf as below and it worked as charm.

[source::WinEventLog:ForwardedEvents]

Also if I want to filter another server with similar category can i just insert another REGEX line in transforms.conf file?

Thank you

Re: windows Event filtering

lukejadamec — Fri, 20 Sep 2013 01:56:40 GMT

To insert another server in the ComputerName field, then you need to use the OR operator (otherwise|known as pipe).
For example:

ComputerName=(dms-server1|dms-server2)

Re: windows Event filtering

AKG — Sun, 22 Sep 2013 23:45:17 GMT

Thank you very much Luke very much appreciated and things are working as expected.

Thank you gain.

Re: windows Event filtering

LewisWheeler — Tue, 26 Apr 2016 22:18:39 GMT

Just to note, still works completely fine. Used this as a base to get rid of Logoff events.