topic Re: regex in eventlog security in Splunk Search

regex in eventlog security

jcollin — Thu, 21 Mar 2013 13:48:15 GMT

Hello,
I tried a lot of solution to filter log events security without success.
I wish i could filter evenbements following:

Informations sur la demande d’accès :    Masque d’accès :     0x80    Accès :        ReadAttributes              Résultat de la vérification d’accès :  ReadAttributes: Accordé par    D:(A;;FA;;;WD)

I want to filter the word "accès".
I tried this:

[events-filter]
REGEX=(?msi)^Accès=(SYNCHRONIZE|ReadAttributes)\D
DEST_KEY = queue
FORMAT = nullQueue

but it does not work.
Do you have an idea to help me?

Re: regex in eventlog security

Rocket66 — Thu, 21 Mar 2013 14:03:03 GMT

I'm not shure, what you want to do ...

Do you want to filter all events where the string
"Accès" AND ("SYNCHRONIZE" OR "ReadAttributes")
occur?

Would be useful to specify your request.
Maybe it's better to filter by (known)fields like EventId, EventCode, etc. than plain strings ...

Greetz Robert

Re: regex in eventlog security

kristian_kolb — Thu, 21 Mar 2013 14:09:19 GMT

Does your events look like that (single-line), or are they truly multi-line?

One thing that springs to mind is that the actual log event does NOT contain the equals-to character (=). Also, I'm not sure that the accented 'e' might cause problems, so I wildcarded it, and added one-or-more whitespaces after the colon.

Also, I removed the caret (start-of-line).

Try;

REGEX=(?msi)Acc.s:\s+(ReadAttributes|SYNCHRONIZE)

Hope this helps somewhat,

Kristian

Re: regex in eventlog security

jcollin — Thu, 21 Mar 2013 14:21:24 GMT

Hello Robert,
I just want to filter events including the line "accès" contains "SYNCHRONIZE" or "ReadAttributes."
EventCode field is not enough, it is the 5145 and there are many.

Re: regex in eventlog security

jcollin — Thu, 21 Mar 2013 14:22:12 GMT

Hello kristian, my events are truly multi line.
I try your solution ...

Re: regex in eventlog security

jcollin — Thu, 21 Mar 2013 14:36:06 GMT

It does not seem to work.
I attached a screenshot of the event that I want to filter:

Re: regex in eventlog security

Rocket66 — Thu, 21 Mar 2013 15:18:48 GMT

Try the regex as Kristian posted (mofidied) :

(?msi)Accès\s+:\s+(ReadAttributes|SYNCHRONIZE)

Re: regex in eventlog security

jcollin — Thu, 21 Mar 2013 15:37:39 GMT

Hello i tried tis regex but it dosen't work, i have always the events with ReadAttributes ...

Re: regex in eventlog security

Rocket66 — Thu, 21 Mar 2013 15:39:21 GMT

If you are new in regex - as I am 🙂 - try to use :
Splunk's Field extractor (IFX)
or this very usefull regex tester tool : http://www.gskinner.com/RegExr/

Greetz Robert

Re: regex in eventlog security

jcollin — Thu, 21 Mar 2013 15:53:49 GMT

I do not understand because I have tried my hand with a regex tester (Kodos) and in the same way the code is to detect the field, but in Splunk, data back anyway.

Re: regex in eventlog security

jcollin — Fri, 22 Mar 2013 08:27:45 GMT

Hello, I tried with IFX, the problem is that the fields are extracted as the first, the "accès" does not appear:

If I display "view source" fields are visible :

On the Regex tester tool it is ok :

Re: regex in eventlog security

Ayn — Fri, 22 Mar 2013 08:35:26 GMT

Where are you trying to filter this? On an indexer or a forwarder?