topic Re: building a search on windows event security logs in Getting Data In

building a search on windows event security logs

udiggity — Mon, 28 Feb 2011 23:11:31 GMT

I'm trying to build a search on windows event logs, that will exclude activity by the real time antivirus scanner and return a list of users in order of amount of data accessed... Not sure if this is possible. Below is the line I'd like to filter on as that is the av program. Can anyone point me in the right direction... Should point out that I am very new to Splunk and don't know much about the build in searching tools (reading doc now)

Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe

Re: building a search on windows event security logs

David — Mon, 28 Feb 2011 23:42:47 GMT

Looking high level, you have two different options. If your logs are absolutely filled with those entries, you can filter them out altogether so that they won't be in Splunk. How to do that is dependent on how you are getting the event log data into Splunk (e.g., WMI, Lasso, etc.). Answers.splunk.com and Splunk Documentation is filled with questions about how to do that, but here's a couple that might be useful:

A simpler approach, though, would be to just exclude it from your search. For example, if a search for Windows Security Event Logs is sourcetype=windows_security you could run:

sourcetype=windows_security NOT "Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe"

That will leave you with the security event log information, excluding the AV activity. Apart from cleanliness and speed, the big advantage of the first approach is that it won't count against your quota.

Hopefully that answers your question.

Re: building a search on windows event security logs

udiggity — Tue, 01 Mar 2011 01:36:00 GMT

Thank you I'll try this, Yeah I tried filtering it in the props and transforms files but couldn't get the regex to work right. I am filtering on multiple system accounts succesfully at the moment so I'm fairly certain it is just a matter of getting the proper regex string. I am using WMI to get the EV logs from my windows servers.

Re: building a search on windows event security logs

David — Tue, 01 Mar 2011 02:19:31 GMT

Ah, yeah. That does sound like a regex issue, if you're able to filter out other events from the source. I'd go with the regex:
Image File Name: .*?InoRT.exe
myself. That should match InoRT.exe anywhere in the event, which I'd guess is good enough for your needs. You should be able to use the full string, but you'll likely need to escape the slashes. I haven't done event filtering myself, but I would expect that you would need to replace every \ with \.

Re: building a search on windows event security logs

udiggity — Tue, 01 Mar 2011 19:23:25 GMT

Thank you very much, I am trying that now! I appreciate the help, my regex looked nothing like that...

Re: building a search on windows event security logs

udiggity — Tue, 01 Mar 2011 19:56:36 GMT

Thanks, that regex string did it! I really appreciate the help.