topic WEF .conf files in Getting Data In

WEF .conf files

Gil — Tue, 23 Jul 2024 12:13:48 GMT

Hi,

in our organization we use wef to monitor windows.

we configure an inputs.conf for monitoring from the Event viewer.

the powershell events (mainly event code 800 and 4103) logs received too long and we want to cut duplicated data.

we tried various test with props.conf and transforms.conf and nothing works, here some of our stanzas we tried in props.conf

[source::"XmlWinEventLog:Windows PowerShell"] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [source::XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g [WinEventLog://Microsoft-Windows-PowerShell/Operational] SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g

also i wanted to make sure the inputs.conf stanza for powershell is correctly when i used :

renderXml = true

over:

wec_event_format = rendered_event

Re: WEF .conf files

richgalloway — Sun, 21 Jul 2024 14:06:04 GMT

I see a few issues, but don't know that fixing them will solve the problem.

1. All of the sed commands are malformed. There should be a single "s/" at the beginning and only 2 slashes before the final 'g'.

2: I'm not sure quotation marks are allowed in a stanza name.

3. "WinEventLog://" is a prefix for inputs.conf stanzas, not for props.conf.

4. Have you tried using a sourcetype name in the props.conf stanza rather than a source name?

It would help to see some sample events and to know which parts of the events you wish to remove.

If you want someone to confirm the inputs.conf stanza then you'll need to show the inputs.conf stanza.

Re: WEF .conf files

Gil — Tue, 23 Jul 2024 09:18:05 GMT

your suggestion didn't help unfortunately ,
this is an example for a log, I need to cut all the data after "Context Information" (include)

attachment is added.

Re: WEF .conf files

richgalloway — Tue, 23 Jul 2024 12:05:05 GMT

Which of the 4 suggestions did you try? Did none of them help?

It would help to have the event in text rather than as an image since it's impossible to put an image in regex101.com for testing. Try this untested prop

[mysourcetype] SEDCMD-noContext = s/Context Information:.*/Context Information:/g

Re: WEF .conf files

Gil — Tue, 23 Jul 2024 13:47:45 GMT

we found something else that helped us.

but thanks for your help!

Re: WEF .conf files

PickleRick — Tue, 23 Jul 2024 20:40:18 GMT

It would be nice if you wrote what solved your problem.

My suspicion is that either you had your setting on a wrong component or you referenced wrong source (with WEF-forwarded events the addon does rewrite of the source from the ForwardedEvents eventlog to the original eventlog the event was forwarded fron)

Re: WEF .conf files

Gil — Wed, 24 Jul 2024 12:23:32 GMT

as mention we drop one of the "s/" and also the "g" at the end:

SEDCMD-CLean_powershell_800 = s/\n\s+Context Information\:.*([\r\n]+.*){0,500}// SEDCMD-CLean_powershell_4103 = s/\s+Context\:.*([\r\n]+.*){0,500}//

Re: WEF .conf files

richgalloway — Wed, 24 Jul 2024 12:18:14 GMT

So you didn't "find something else that helped". You used my answer.

Re: WEF .conf files

Gil — Thu, 25 Jul 2024 10:19:55 GMT

you didn't say to drop the "g" at the end.

of course your suggestion helped but not fully.