topic Saving License on Windows Events - Regex "This event..." in Splunk Search

Saving License on Windows Events - Regex "This event..."

dieguiariel — Wed, 05 Aug 2020 04:38:38 GMT

Hi! i've been trying to regex some part of the windows events to save license. Many windows events contains a large part of text that begins with "This event is generated".

I've edited props.conf:

[source::WinEventLog:Security] TRANSFORMS-removedescription = removeEventDesc1

and transforms.conf:

[removeEventDesc1] LOOKAHEAD = 16128 REGEX = (?msi)(.*)This event is generated DEST_KEY = _raw FORMAT = $1

(based on this link https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk)

But isn't working.

There is another way to do this?

I've installed forwarders on my windows systems, and already blacklisted events with inputs.conf (that works)

Thanks in advance and sorry for my english, im from Paraguay.

Re: Saving License on Windows Events - Regex "This event..."

richgalloway — Tue, 04 Aug 2020 23:54:41 GMT

A slightly simpler method (from Splunk Add-on for Windows) uses SEDCMD

SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g

Re: Saving License on Windows Events - Regex "This event..."

thambisetty — Wed, 05 Aug 2020 03:46:11 GMT

If you have already blacklisted on universal forwarder why do you want to do it at heavy forwarder level.

the best recommended way of blacklisting windows events is using universal forwarder.

Re: Saving License on Windows Events - Regex "This event..."

dieguiariel — Wed, 05 Aug 2020 15:48:14 GMT

Hi, thanks for your response, I have a master server and an indexer server separately. I've installed the deployment server on the master. The Splunk Add-on for Windows must be installed in this case on both?

(based on https://docs.splunk.com/Documentation/WindowsAddOn/8.0.0/User/Install )

And later push the addon to the universal forwarders with the deployment server.

I will try this.

Re: Saving License on Windows Events - Regex "This event..."

dieguiariel — Wed, 05 Aug 2020 15:49:48 GMT

So this regex must be on the universal forwarder app folder? I will try this too. Thanks for your reply

Re: Saving License on Windows Events - Regex "This event..."

thambisetty — Wed, 05 Aug 2020 18:03:33 GMT

Okay. Please like the answer if it solves your questions.

Re: Saving License on Windows Events - Regex "This event..."

dieguiariel — Fri, 07 Aug 2020 17:45:23 GMT

Thanks, ive installed the addon, create a serverclass with some windows and deploy the app to the servers and its working. It seems that this has changed also the format of logs to xml.

thanks!

Re: Saving License on Windows Events - Regex "This event..."

dieguiariel — Fri, 07 Aug 2020 17:47:54 GMT

i've manually edit the universal forwarder files on the windows machine but seems that this regex need the Windows addon, without it doesnt make any difference.

Re: Saving License on Windows Events - Regex "This event..."

thambisetty — Fri, 07 Aug 2020 18:02:32 GMT

not really you just need inputs.conf, you don't need to push complete TA.

for example:

[WinEventLog://Security] disabled = 0 index = windows #blacklist1 = EventCode=%^4663$% # example blacklist all 4663 event codes #blacklist6 = EventCode = "4663" Message = "Process Name:\s+\\Device\\HarddiskVolume6\\Tomcat\\bin\\Tomcat9.exe" # blacklist Tomcat from EventCode 4663

Note: blacklists statements are commented

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27

Re: Saving License on Windows Events - Regex "This event..."

dieguiariel — Mon, 10 Aug 2020 15:32:13 GMT

Yes, i've successfully blacklisted and whitelisted events with eventcoodes just with inputs.conf, but i couldn't "filter" the text inside the event, i need one eventcode but i don't need the text inside the event that begins with "this event is generated..."

Only pushing the complete TA from windows i been able to do that. I get the event but not the part with "This event is generated..."