https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25616#M4183 <P>Hi, </P> <P>If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then??</P> <P>Your REGEX seems to be working fine and thanks for the link.</P> Tue, 10 Aug 2010 10:39:48 GMT remy06 2010-08-10T10:39:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25612#M4179 <P>Hi,</P> <P>How can I filter out "type=Success Audit" logs off a windows event and log only the failure logs?</P> <P>Currently I have this in transform.conf:<BR /> [setnull]<BR /> REGEX = (?m)^EventCode = 673<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue </P> <P>It is filtering off all of 673 but now I will like to capture the failure logs of 673 but not the success logs. </P> <P>Am just wondering if something like this can be done?<BR /> REGEX = (?m)^(EventCode = 673)(type = "Success Audit")</P> <P>Thanks</P> Thu, 05 Aug 2010 09:00:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25612#M4179 remy06 2010-08-05T09:00:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25613#M4180 <P>I think something like this will work for you:</P> <PRE><CODE>REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n] </CODE></PRE> <P>I would recommend reading up on regex syntax here: </P> <UL> <LI><A href="http://www.regular-expressions.info/" rel="nofollow">http://www.regular-expressions.info/</A></LI> </UL> <P></P><HR /><P></P> <P>On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the <CODE>nullQueue</CODE>, and the second only matches your 673 failure messages and then sets the queue to <CODE>indexQueue</CODE></P> <P>You may find some more helpful examples on how to do this here:</P> <UL> <LI><A href="http://answers.splunk.com/questions/4816/winevent-filtering-on-heavy-forwarder" rel="nofollow">http://answers.splunk.com/questions/4816/winevent-filtering-on-heavy-forwarder</A></LI> </UL> Thu, 05 Aug 2010 20:43:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25613#M4180 Lowell 2010-08-05T20:43:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25614#M4181 <P>Do your WinEventLogs contain spaces between the keys and values. For example, do you see "EventCode = 673", or "EventCode=673"?</P> Thu, 05 Aug 2010 20:45:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25614#M4181 Lowell 2010-08-05T20:45:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25615#M4182 <P>I see Eventcode=673 without spaces.</P> Tue, 10 Aug 2010 09:23:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25615#M4182 remy06 2010-08-10T09:23:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25616#M4183 <P>Hi, </P> <P>If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then??</P> <P>Your REGEX seems to be working fine and thanks for the link.</P> Tue, 10 Aug 2010 10:39:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25616#M4183 remy06 2010-08-10T10:39:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25617#M4184 <P>I got it mistaken.It doesn't seem to be working.. Using the REGEX I've tried to filter off based on User instead:<BR /> REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+User=SYSTEM[\r\n]<BR /> But it doesn't work.</P> <P>Here is a sample of Windows event:<BR /> 08/05/10 05:39:03 PM<BR /> LogName=Security<BR /> SourceName=Security<BR /> EventCode=673<BR /> EventType=8<BR /> Type=Success Audit<BR /> ComputerName=ServerA<BR /> User=SYSTEM<BR /> ..<BR /> ..<BR /> ..<BR /> CategoryString=Account Logon<BR /> ..<BR /> Message=Service Ticket Request: </P> <PRE><CODE>User Name: ServerA.com User Domain: ServerA.com Service Name: ServerA$ .. .. Failure Code: - ... Transited Services: - </CODE></PRE> Fri, 13 Aug 2010 10:09:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25617#M4184 remy06 2010-08-13T10:09:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25618#M4185 <P>I did it like that:</P> <PRE><CODE>[wminull] REGEX = (?msi)^(EventCode=697|Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>So it simply filters EventCode=697 OR Type=Audit Success to the null queue</P> Tue, 31 Aug 2010 19:16:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25618#M4185 Daniel 2010-08-31T19:16:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25619#M4186 <P>I had to set something up like this. They wanted a list of the top 20 failed login by userid.</P> <P>I set the following up as an event type: index="prod_dc_event_logs" sourcetype="<EM>security</EM>" Type="Failure Audit" EventCode="538" OR EventCode="540" OR EventCode="680" </P> <P>Then I set the following search up: eventtype="WINTEL_FailedLogin" | chart count by Logon_account | sort 20 - count</P> <P>Brian</P> Tue, 31 Aug 2010 19:20:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25619#M4186 Brian_Osburn 2010-08-31T19:20:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25620#M4187 <P>Hi,</P> <P>Thanks for the suggestions.<BR /> This is working for us by capturing eventcode 578 AND Type=Audit Success :<BR /> <CODE>REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)</CODE></P> Tue, 19 Oct 2010 10:25:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-off-winevent-code-to-capture-only-failure-audit/m-p/25620#M4187 remy06 2010-10-19T10:25:44Z