https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62405#M12488 <P>Example for Windows 2008 WinSecurity events:</P> <P>[dropevents] <BR /> REGEX = (?msi)^EventCode=(4776|4648|4624|4634).*^Keywords=Audit\sSuccess <BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue </P> <P>You can also use the following site to verify the regex: </P> <P><A href="http://gskinner.com/RegExr/?31r9a">http://gskinner.com/RegExr/?31r9a</A></P> Wed, 11 Sep 2013 22:39:21 GMT splunkIT 2013-09-11T22:39:21Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62402#M12485 <P>I'm running Splunk 4.2.5 server on CentOS. I've also installed SplunkForwarder 4.3 on a Win2k3 server, collecting Application, Security, and System events. </P> <P>On the server, I have defined</P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-set=dropevents</P> <P>transforms.conf<BR /> [dropevents]<BR /> REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?</P> Wed, 01 Feb 2012 19:46:16 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62402#M12485 biciunas 2012-02-01T19:46:16Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62403#M12486 <P>Your regex is incorrect.</P> <P>It is Type=Success Audit, not Type=Audit Success (this happens with Windows 2008 which have different Event Codes - in which case your Event Codes are incorrect) as you wrote.<BR /> Something like this should work:</P> <PRE><CODE>[dropevents] REGEX = (?msi)^EventCode=(560|562|567).*^Type=Success Audit DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Wed, 01 Feb 2012 22:46:19 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62403#M12486 bojanz 2012-02-01T22:46:19Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62404#M12487 <P>Thanks for the correction - that was the solution. I guess I need remedial comprehension training, since I was staring at the answer in the logs..</P> Thu, 02 Feb 2012 13:38:35 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62404#M12487 biciunas 2012-02-02T13:38:35Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62405#M12488 <P>Example for Windows 2008 WinSecurity events:</P> <P>[dropevents] <BR /> REGEX = (?msi)^EventCode=(4776|4648|4624|4634).*^Keywords=Audit\sSuccess <BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue </P> <P>You can also use the following site to verify the regex: </P> <P><A href="http://gskinner.com/RegExr/?31r9a">http://gskinner.com/RegExr/?31r9a</A></P> Wed, 11 Sep 2013 22:39:21 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-Security-filter/m-p/62405#M12488 splunkIT 2013-09-11T22:39:21Z