topic Re: How to filter Windows Event 4663 at indexing time? in Splunk Search

How to filter Windows Event 4663 at indexing time?

kiran331 — Thu, 17 Aug 2017 18:50:48 GMT

Hello,

How to filter out wineventlog with "EventCode 4663" and "Accesses: ReadData (or ListDirectory)", using props.conf and transforms.conf below is sample event.

08/17/2017 01:35:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=abc.cde
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=2326
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-80-1390545455-656-4545454545
Account Name: AAAADDDDDD
Account Domain: NT SERVICE
Logon ID: 0xC8184

Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\dir\test\tt.exe
Handle ID: 0x11a5c
Resource Attributes:
Process Information:
Process ID: 0x224
Process Name: D:\Program Files\dir\test\tt.exe

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:        0x1

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Thu, 17 Aug 2017 18:56:26 GMT

Check out this doc:
Router and Filter Data

Do a ctrl+f on your browser and search for setnull

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Tue, 29 Sep 2020 15:27:36 GMT

I tried below, its not working, did I miss anything?

props.conf

TRANSFORMS-set-null=set_null

transforms.conf

[set_null]
REGEX="(?msi)EventCode=4663.*readdata|EventCode=4663.*listdirectory"
DEST_KEY=queue
FORMAT=nullQueue

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Fri, 18 Aug 2017 21:10:44 GMT

Try this regex instead.

(EventCode=4663*.readdata|EventCode=4663.*listdirectory)

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Fri, 18 Aug 2017 21:24:50 GMT

I tried, its not working.

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Tue, 29 Sep 2020 15:27:41 GMT

[set_null_1]
REGEX=EventCode=4663.*readdata
DEST_KEY=queue
FORMAT=nullQueue

[set_null_2]
REGEX=EventCode=4663.*listdirectory
DEST_KEY=queue
FORMAT=nullQueue

try two seperate stanza's and call them out in props. Sometimes regex is funky with the ".*" and "|" matches in preindexing.

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Tue, 29 Sep 2020 15:28:21 GMT

I tried, its not filtering out the events, I'm also using one more regex to filter out splunk events, May be this is caousing the issue.

props.conf:

TRANSFORMS-set-exclude=set_exclude,set_nullqueue

TRANSFORMS-set-null1=set_null_1

TRANSFORMS-set-null2=set_null_2

transforms.conf:

[set_exclude]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

[set_nullqueue]
REGEX=C:\Program Files\SplunkUniversalForwarder\bin\*
DEST_KEY=queue
FORMAT=nullQueue

[set_null_1]
REGEX=EventCode=4663.*readdata
DEST_KEY=queue
FORMAT=nullQueue

[set_null_2]
REGEX=EventCode=4663.*listdirectory
DEST_KEY=queue
FORMAT=nullQueue

Re: How to filter Windows Event 4663 at indexing time?

skoelpin — Mon, 21 Aug 2017 17:01:15 GMT

Did you restart splunkd after making these changes?

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Mon, 21 Aug 2017 17:07:05 GMT

yes, I restarted all Indexers

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Mon, 21 Aug 2017 17:09:13 GMT

As a test, remove the ".* " and everything after it from your regexes and see if that works.

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Tue, 29 Sep 2020 15:28:23 GMT

I removed everything after EventCode, it filtered out all Event with 4663.

[set_remove]
REGEX = EventCode=4663
DEST_KEY=queue
FORMAT=nullQueue

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Mon, 21 Aug 2017 18:14:27 GMT

is it filtering out all of those events?

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Mon, 21 Aug 2017 18:16:50 GMT

yes, it filtering all events with 4663 Eventcodes, but I have filter out with Accesses: ReadData (or ListDirectory)

Re: How to filter Windows Event 4663 at indexing time?

tmarlette — Mon, 21 Aug 2017 18:18:41 GMT

yeah, so you'll need to find the right RegEx match to filter out what you need. I use .* or .+ in my extractions, but for some reason, during pre-indexing Splunk doesn't like those big wildcards.

Re: How to filter Windows Event 4663 at indexing time?

gcusello — Tue, 22 Aug 2017 08:02:24 GMT

Hi kiran331,
following Splunk documentation https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad you have to create props.conf and transforms.conf:

props.conf

TRANSFORMS-set-null=set_parsing,set_null

transforms.conf

[set_parsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

[set_null]
REGEX=(?ms)EventCode\=4663.*Accesses:\sReadData\s\(or\sListDirectory\)
DEST_KEY=queue
FORMAT=nullQueue

Beware to the order of stanzas in TRANSFORMS command in props.conf, instead order in transforms.conf it's not important.

Bye.
Giuseppe

Re: How to filter Windows Event 4663 at indexing time?

kiran331 — Tue, 29 Sep 2020 15:28:51 GMT

Hi Cusello,

Its still indexing Read Events. Below are my config files, Did I miss anthing?

props.conf

[WinEventLog:Security]

Returns most of the space savings XML would provide

SEDCMD-clean0 = s/(?m)(^\s+[^:]+:)\s+-?$/\1/g s/(?m)(^\s+[^:]+:)\s+-?$/\1/g s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g

Returns most of the space savings XML would provide

SEDCMD-clean1 = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2 = s/Certificate information is only[\S\s\r\n]+$//g

addresses most of the Ipv6 log event issues

SEDCMD-clean3 = s/::ffff://g

FIX #1

SEDCMD-clean4 = s/Token Elevation Type indicates[\S\s\r\n]+$//g

TRANSFORMS-set-null=set_parsing,set_null

TRANSFORMS-set-exclude=set_nullqueue

transforms.conf:

[Target_Server_Name_as_dest_nt_host]
SOURCE_KEY = Target_Server_Name
REGEX = ^(?!localhost)([\]+)?([^-].*)
FORMAT = dest_nt_host::"$2"

[Target_Server_Name_as_dest]
SOURCE_KEY = Target_Server_Name
REGEX = ^(?!localhost)([\]+)?([^-].*)
FORMAT = dest::"$2"

[set_parsing]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue

[set_null]
REGEX=(?ms)EventCode=4663.*Accesses:\sReadData\s(or\sListDirectory)
DEST_KEY=queue
FORMAT=nullQueue

[set_nullqueue]
REGEX=C:\Program Files\SplunkUniversalForwarder\bin\*
DEST_KEY=queue
FORMAT=nullQueue

Re: How to filter Windows Event 4663 at indexing time?

gcusello — Tue, 22 Aug 2017 16:37:39 GMT

Hi kiran331,
Parentheses are special characters for regex so you must put a backslash before them where they are in the search string.
So the regex of set_null stanza is

(?ms)EventCode\=4663.*Accesses:\sReadData\s\(or\sListDirectory\)

Bye.
Giuseppe