https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308666#M4091 <P>I need to prevent them from being indexed.</P> Sat, 18 Feb 2017 23:45:23 GMT Nsdjanin 2017-02-18T23:45:23Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308662#M4087 <P>Hello everybody,</P> <P>I'm new in this field and I have one question.<BR /> We have too many windows security logs indexed that are generated by machine accounts.<BR /> I want to filter out logs that looks like this:</P> <P>LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4658<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=comp1.domain.com<BR /> TaskCategory=Removable Storage<BR /> OpCode=Info<BR /> RecordNumber=4463688<BR /> Keywords=Audit Success<BR /> Message=The handle to an object was closed.</P> <P>Subject :<BR /> Security ID: DOMAIN1\SERVER01$<BR /> Account Name: SERVER01$<BR /> Account Domain: DOMAIN1<BR /> Logon ID: 0x347732</P> <P>I need to filter out logs that have "Account Name: SERVER01$".<BR /> What is the best way to do this?<BR /> I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.</P> <P>Please help!</P> Sat, 18 Feb 2017 15:20:24 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308662#M4087 Nsdjanin 2017-02-18T15:20:24Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308663#M4088 <P>You need to blacklist your <STRONG>[WinEventLog://Security]</STRONG> input in inputs.conf</P> <PRE><CODE>blacklist= EventCode="4658" </CODE></PRE> <P>Refer to the documentation for using Whitelist and Blacklist in input.conf<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27</A></P> <P>Also for specs and conf of inputs.conf please refer <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> Sat, 18 Feb 2017 17:46:37 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308663#M4088 niketn 2017-02-18T17:46:37Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308664#M4089 <P>niketnilay thanks on answer but i need eventcode 4658.<BR /> I want to filter out only machine account Account Name: SERVER01$ that generates these logs. Other accounts I need.</P> Sat, 18 Feb 2017 18:22:18 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308664#M4089 Nsdjanin 2017-02-18T18:22:18Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308665#M4090 <P>Do you need to prevent them from being indexed or do you need them to be dropped from a specific search's results set?</P> Sat, 18 Feb 2017 23:12:46 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308665#M4090 woodcock 2017-02-18T23:12:46Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308666#M4091 <P>I need to prevent them from being indexed.</P> Sat, 18 Feb 2017 23:45:23 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308666#M4091 Nsdjanin 2017-02-18T23:45:23Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308667#M4092 <P>Assuming that the <CODE>sourcetype</CODE> is <CODE>WinEventLog:Security</CODE>:</P> <P>In props.conf:</P> <PRE><CODE>[source::WinEventLog:Security] TRANSFORMS-eliminate-4658-SERVER01 = eliminate-4658-SERVER01 </CODE></PRE> <P>In transforms.conf:</P> <PRE><CODE>[eliminate-4658-SERVER01] REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+ DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>You will need to restart <CODE>splunkd</CODE> on EVERY indexer and even then, only post-restart events will be dropped (what is in is in).</P> Sun, 19 Feb 2017 01:31:23 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308667#M4092 woodcock 2017-02-19T01:31:23Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308668#M4093 <P>See my answer.</P> Sun, 19 Feb 2017 01:32:00 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308668#M4093 woodcock 2017-02-19T01:32:00Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308669#M4094 <P>Woodcock thanks, but after your proposed changes I now have a situation that all of mine security logs from this particular machine is filtered out. Not only 4658 with account name SERVER01$ but all.<BR /> Do you have any idea?</P> Sun, 19 Feb 2017 08:48:06 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308669#M4094 Nsdjanin 2017-02-19T08:48:06Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308670#M4095 <P>First, I forgot 1 key configuration: <CODE>FORMAT = nullQueue</CODE> (I updated the answer). But that mistake should not have caused what you are describing. Fix that mistake and if it doesn't behave, then perhaps there is something else that you added that is doing this (e.g. <CODE>blacklist</CODE>).</P> Sun, 19 Feb 2017 14:52:30 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308670#M4095 woodcock 2017-02-19T14:52:30Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308671#M4096 <P>Props.conf<BR /> [source::WinEventLog:Security]<BR /> TRANSFORMS-filterWinSecNull = filterWinSecNull</P> <P>Transforms.conf<BR /> [filterWinSecNull]<BR /> REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>These are my props.conf and transforms.conf files.<BR /> I don't have any blacklists.<BR /> This configuration filters out all windows security logs from that particular machine that has lots of logs with Account name SERVER01$.</P> <P>Do you have any ideas?<BR /> .<BR /> Thanks in advance</P> Tue, 29 Sep 2020 12:55:05 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308671#M4096 Nsdjanin 2020-09-29T12:55:05Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308672#M4097 <P>It looks fine to me and it should work as you listed it. I am at a loss.</P> Sun, 19 Feb 2017 21:26:35 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/308672#M4097 woodcock 2017-02-19T21:26:35Z https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/567752#M4098 <P>Maybe you want to use this -</P><P>| regex Account_Name!="\$$"<BR /><BR />I am using this in my search string and it drop all the hostname$&nbsp;</P> Mon, 20 Sep 2021 21:45:36 GMT https://community.splunk.com/t5/Splunk-Dev/I-need-to-filter-out-logs-that-have-quot-Account-Name-SERVER01/m-p/567752#M4098 splunknewbie81 2021-09-20T21:45:36Z