https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576093#M10796 <P>Please share how you solved the problem so others might benefit from your experience.</P> Tue, 23 Nov 2021 21:28:27 GMT richgalloway 2021-11-23T21:28:27Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575423#M10739 <P>Not working SEDCMD in my props.conf</P><P>&nbsp;</P><P>/opt/splunk/etc/system/local/props.conf</P><P>&nbsp;</P><P>[ActiveDirectory]</P><P><SPAN>SEDCMD-mask_ms_pwd =&nbsp;</SPAN>s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/<SPAN class="">&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN class="">I checked it on regex101.com everything works.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gitingua_0-1637233486910.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16905iA125C38E7DEA0A41/image-size/medium?v=v2&amp;px=400" role="button" title="gitingua_0-1637233486910.png" alt="gitingua_0-1637233486910.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>wrote a line in props.conf and reloaded splunk. but still hides nothing</P> Thu, 18 Nov 2021 11:07:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575423#M10739 gitingua 2021-11-18T11:07:11Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575450#M10741 <P>It would help to see a full event as it appears as though the current SEDCMD will replace everything that follows "<SPAN>ms-Mcs-AdmPwd=", not just the password.&nbsp; Please post the event as text rather than a screenshot so we can test with it.</SPAN></P><P><SPAN>Recall that changes to SEDCMD affect only new data and not data that is already indexed.</SPAN></P> Thu, 18 Nov 2021 14:16:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575450#M10741 richgalloway 2021-11-18T14:16:23Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575454#M10743 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;I know what's new. new events do not change</P><P><SPAN class=""><SPAN class="">ms-Mcs</SPAN>-AdmPwd</SPAN><SPAN>=a</SPAN><SPAN class="">01LePq5</SPAN></P><P><SPAN class="">exactly what is needed. or the desired complete</SPAN></P> Thu, 18 Nov 2021 14:32:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575454#M10743 gitingua 2021-11-18T14:32:04Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575477#M10745 <P>Try this regex.</P><LI-CODE lang="markup">SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g</LI-CODE> Thu, 18 Nov 2021 15:49:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575477#M10745 richgalloway 2021-11-18T15:49:44Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575480#M10746 <P>not working&nbsp;</P><P>i changed and rebooted at 18:52. at 18:55 the event came as before</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gitingua_0-1637251211464.jpeg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16913iF9EFB3B1F496AF92/image-size/medium?v=v2&amp;px=400" role="button" title="gitingua_0-1637251211464.jpeg" alt="gitingua_0-1637251211464.jpeg" /></span></P><P>&nbsp;</P><P>props.conf&nbsp;</P><P><SPAN>[ActiveDirectory]</SPAN></P><P><SPAN>SHOULD_LINEMERGE = false</SPAN></P><P><SPAN>LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*)</SPAN></P><P><SPAN>EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?&lt;guid_lookup&gt;[\w\-]+)</SPAN></P><P><SPAN>EXTRACT-SID = objectSid\s*=\s*(?&lt;sid_lookup&gt;\S+)</SPAN></P><P><SPAN>SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g</SPAN></P><P>&nbsp;</P><P><SPAN>Maybe something from the other lines bothers him?</SPAN></P><P>&nbsp;</P> Thu, 18 Nov 2021 16:03:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575480#M10746 gitingua 2021-11-18T16:03:35Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575513#M10748 <P>Would you mind sharing the raw event?&nbsp; That is what SEDCMD sees so it's what we should be working with.</P> Thu, 18 Nov 2021 17:44:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575513#M10748 richgalloway 2021-11-18T17:44:23Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575859#M10779 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>&nbsp;</P><P>no access to raw data. but I found a question similar to mine. and there are sources where they show an example. I drove them but also unsuccessfully</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/ms-Mcs-AdmPwd-Plaintext-in-Splunk/td-p/562704" target="_blank">https://community.splunk.com/t5/Getting-Data-In/ms-Mcs-AdmPwd-Plaintext-in-Splunk/td-p/562704</A></P> Mon, 22 Nov 2021 12:10:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575859#M10779 gitingua 2021-11-22T12:10:07Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575862#M10780 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>&nbsp;</P><P><A href="https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/laps-splunk-account-reading-ms-mcs-admpwd/m-p/2242426" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/laps-splunk-account-reading-ms-mcs-admpwd/m-p/2242426</A></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/" target="_blank">https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/</A>&nbsp;</P> Mon, 22 Nov 2021 12:13:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575862#M10780 gitingua 2021-11-22T12:13:13Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575870#M10781 <P>Where are you putting the props.conf file?&nbsp; It must be on the indexers and, if you have them, heavy forwarders.&nbsp; The instances must be restarted after making changes.</P> Mon, 22 Nov 2021 13:44:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575870#M10781 richgalloway 2021-11-22T13:44:51Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575882#M10782 <P>indexer&nbsp;</P><P>/opt/splunk/etc/system/local/props.conf&nbsp;</P><P>Yes. I restarted every time I changed there</P><P>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P> Mon, 22 Nov 2021 14:11:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/575882#M10782 gitingua 2021-11-22T14:11:07Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576081#M10795 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>&nbsp;</P><P>i solved this problem</P> Tue, 23 Nov 2021 20:21:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576081#M10795 gitingua 2021-11-23T20:21:59Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576093#M10796 <P>Please share how you solved the problem so others might benefit from your experience.</P> Tue, 23 Nov 2021 21:28:27 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576093#M10796 richgalloway 2021-11-23T21:28:27Z https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576094#M10797 <P><SPAN>You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “ActiveDirectory”. This means, as the data is streaming into Splunk and before it ends up on disk “indexed”, it will be anonymised. To do this we utilise the Splunk “SEDCMD”. This is much like the sed command you would find on a *nix based system. Ideally the props.conf file should be placed on a Splunk Heavy Forwarder on it’s path towards the Indexer, you could place this configuration on an indexer, but to avoid potential performance issues try use a<STRONG> Splunk Heavy Forwarder.</STRONG></SPAN></P><P><SPAN class="">&nbsp;</SPAN>deploy-server<SPAN><STRONG>&nbsp;vim /opt/splunk/etc/</STRONG></SPAN><STRONG>deployment-apps/Splunk_TA_windows</STRONG></P><PRE># props.conf on a HF. [ActiveDirectory] SEDCMD-anonymiseLaps = s/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g</PRE><P>save&nbsp;</P><P>&nbsp;</P><P>deploy-server$&nbsp;/opt/splunk/bin/splunk reload deploy-server</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Nov 2021 21:38:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Not-working-SEDCMD-Props-conf-help/m-p/576094#M10797 gitingua 2021-11-23T21:38:22Z