topic Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"? in Getting Data In

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Shark2112 — Fri, 19 Feb 2016 16:06:38 GMT

Hey guys.

I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for deleted file audit).

I was trying 2 ways:

1st: in inputs.conf

[WinEventLog://Security]
whitelist1 = "delete"
disabled = 0

2nd:
props.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = delete
DEST_KEY = queue
FORMAT = indexQueue

transforms.conf

[source::WinEventLog:Security] or [source::WinEventLog://Security]  (with // like in inputs.conf)
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing

Both of this doesn't work and i take all events.

What is the difference between these two approaches and what did I do wrong?

Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Jeremiah — Fri, 19 Feb 2016 17:05:19 GMT

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Shark2112 — Sat, 20 Feb 2016 10:40:08 GMT

Thank you for feedback! But if i need regex (because my fieldsname in russian and splunk cant read it), what can i do?

Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Jeremiah — Sat, 20 Feb 2016 17:11:24 GMT

Eesh, good question. You can still try specifying the key and see if Splunk can match it. If not, you are probably better off filtering on the indexer, where you do not need to specify the key. On the indexer, use the following:

transforms.conf

 [setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = delete
 DEST_KEY = queue
 FORMAT = indexQueue

props.conf:

[WinEventLog:Security]
TRANSFORMS-set = setnull, setparsing

Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Shark2112 — Sat, 20 Feb 2016 17:36:01 GMT

i'll try now
But if i need more than one filter, what must i do?

Re: How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Shark2112 — Sat, 20 Feb 2016 17:51:25 GMT

nvm, all's work fine, thx for help!