https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433585#M7788 <P>I notice in your example event the XML syntax is wrong:</P> <PRE><CODE>&lt;EventID&gt;4624/EventID&gt; </CODE></PRE> <P>It should be:</P> <PRE><CODE>&lt;EventID&gt;4624&lt;/EventID&gt; </CODE></PRE> <P>Correcting that, the following regex seems to work:</P> <PRE><CODE>\&lt;EventID\&gt;4624\&lt;\/EventID&gt;.+\&lt;Data\s+Name='LogonProcessName'&gt;NtLmSsp|\&lt;Data\s+Name='LogonProcessName'&gt;NtLmSsp.+\&lt;EventID\&gt;4624\&lt;\/EventID&gt; </CODE></PRE> <P>This accounts for EventID occurring before or after the NtLmSsp LogonProcessName</P> Wed, 30 Jan 2019 21:39:02 GMT jconger 2019-01-30T21:39:02Z https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433584#M7787 <P>Hi Guys!</P> <P>How to create a filter to discard Windows logon events (EventID = 4624), but only when the LogonProcessName field is equal to 'NtLmSsp'?</P> <P>The logs are in XML format. </P> <P>I've tried several REGEX, but none worked.</P> <P>Please, who has an idea?</P> <PRE><CODE>&lt;Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54645625-5678-4344-A5AA-E3A0356C30D}'/&gt; &lt;EventID&gt;4624/EventID&gt;&lt;Version&gt;2&lt;/Version&gt;&lt;Level&gt;0&lt;/Level&gt;&lt;Task&gt;12544&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;0x8020000000000000&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2019-01-29T16:09:38.913252400Z'/&gt;&lt;EventRecordID&gt;602433466&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='612' ThreadID='11820'/&gt;&lt;Channel&gt;Security&lt;/Channel&gt;&lt;Computer&gt;DC01.mydomain.com&lt;/Computer&gt;&lt;Security/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='SubjectUserSid'&gt;NULL SID&lt;/Data&gt;&lt;Data Name='SubjectUserName'&gt;-&lt;/Data&gt;&lt;Data Name='SubjectDomainName'&gt;-&lt;/Data&gt;&lt;Data Name='SubjectLogonId'&gt;0x0&lt;/Data&gt;&lt;Data Name='TargetUserSid'&gt;MTI\user01&lt;/Data&gt;&lt;Data Name='TargetUserName'&gt;user01&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;mydomain&lt;/Data&gt;&lt;Data Name='TargetLogonId'&gt;0x280731681&lt;/Data&gt;&lt;Data Name='LogonType'&gt;3&lt;/Data&gt;&lt;Data Name='LogonProcessName'&gt;NtLmSsp &lt;/Data&gt;&lt;Data Name='AuthenticationPackageName'&gt;NTLM&lt;/Data&gt;&lt;Data Name='WorkstationName'&gt;COMP01&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{00000000-0000-0000-0000-000000000000}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;&lt;Data Name='LmPackageName'&gt;NTLM V2&lt;/Data&gt;&lt;Data Name='KeyLength'&gt;0&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;0x0&lt;/Data&gt;&lt;Data Name='ProcessName'&gt;-&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;-&lt;/Data&gt;&lt;Data Name='IpPort'&gt;-&lt;/Data&gt;&lt;Data Name='ImpersonationLevel'&gt;%%1833&lt;/Data&gt;&lt;Data Name='RestrictedAdminMode'&gt;-&lt;/Data&gt;&lt;Data Name='TargetOutboundUserName'&gt;-&lt;/Data&gt;&lt;Data Name='TargetOutboundDomainName'&gt;-&lt;/Data&gt;&lt;Data Name='VirtualAccount'&gt;%%1843&lt;/Data&gt;&lt;Data Name='TargetLinkedLogonId'&gt;0x0&lt;/Data&gt;&lt;Data Name='ElevatedToken'&gt;%%1842&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt; </CODE></PRE> <P><EM>props.conf</EM><BR /> [XmlWinEventLog]<BR /> TRANSFORMS-set=setnull</P> <P><EM>transforms.conf</EM><BR /> [setnull]<BR /> REGEX = (?m)(4624&lt;\/EventID&gt;).+(NtLmSsp\s+&lt;\/Data&gt;)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <UL> <LI>Other REGEX used unsuccessfully: REGEX = (?m)EventCode\s*=\s*4624.<EM>?LogonProcessName\s</EM>=\s*NtLmSsp\s REGEX = (?m)LogonProcessName=(NtLmSsp) REGEX = (?m)^EventCode=(4624).+(LogonProcessName=NtLmSsp)</LI> </UL> <P>Thank you very much in advance.<BR /> []s</P> Tue, 29 Sep 2020 22:59:32 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433584#M7787 jfeitosa_real 2020-09-29T22:59:32Z https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433585#M7788 <P>I notice in your example event the XML syntax is wrong:</P> <PRE><CODE>&lt;EventID&gt;4624/EventID&gt; </CODE></PRE> <P>It should be:</P> <PRE><CODE>&lt;EventID&gt;4624&lt;/EventID&gt; </CODE></PRE> <P>Correcting that, the following regex seems to work:</P> <PRE><CODE>\&lt;EventID\&gt;4624\&lt;\/EventID&gt;.+\&lt;Data\s+Name='LogonProcessName'&gt;NtLmSsp|\&lt;Data\s+Name='LogonProcessName'&gt;NtLmSsp.+\&lt;EventID\&gt;4624\&lt;\/EventID&gt; </CODE></PRE> <P>This accounts for EventID occurring before or after the NtLmSsp LogonProcessName</P> Wed, 30 Jan 2019 21:39:02 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433585#M7788 jconger 2019-01-30T21:39:02Z https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433586#M7789 <P>Unfortunately it did not work the regex you passed.</P> <P>[setnull]<BR /> REGEX = \4624&lt;\/EventID&gt;.+\NtLmSsp|\NtLmSsp.+\4624&lt;\/EventID&gt;<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>I tried it another way, but it did not work either.</P> <P>Thank you!</P> Thu, 31 Jan 2019 22:14:13 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-out-events-Windows-before-Indexing/m-p/433586#M7789 jfeitosa_real 2019-01-31T22:14:13Z