https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157941#M44492 <P>Mmm, I'm still getting the events with destination_address=192.168.x.x</P> Tue, 11 Aug 2015 07:40:10 GMT pdjhh 2015-08-11T07:40:10Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157935#M44486 <P>Hi guys,</P> <P>I am ingesting Windows event logs including event code 5156 which is chewing up a lot of license. I have had it turned off (as it is 'firewall permitted connection'), but we want to track connections from these hosts to external IP addresses so I have switched it back on. What I'm thinking is, it would be good to be able to filter out all of the events that are destined for the internal network as they are not of interest.</P> <P>The internal network is 192.168.x.x so I'd be looking to filter out all of those and let the rest get indexed. That would mean filtering out EventCode=4624 with field Destination Address=192.168*.</P> <P>Looking around this will probably be a props and transforms with regex or potentially a fancy blacklist. Hope you can advise.</P> <P>Thanks.</P> Mon, 10 Aug 2015 12:54:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157935#M44486 pdjhh 2015-08-10T12:54:34Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157936#M44487 <P>I'd say you need a black- and then a whitelist, so something like this in transforms.conf:</P> <PRE><CODE>[throwout] REGEX = (?m)^EventCode=(5156) DEST_KEY = queue FORMAT = nullQueue [keepsome] REGEX = Destination\sAddress\:\s192\.168\. DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>and this in props.conf:</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set= throwout,keepsome </CODE></PRE> <HR /> <P>PS: I just realized that the above does the opposite of what you intended to do - it throws out all allowed firewall events, and it keeps specifically those destined for your local network. I must've misread your question halfway through, sorry.<BR /> One possibility to achieve your goal is this, where we assume there are no other occurences of "Destination Adress = some ip" in any of the windows events (which I'm not really sure about, but preliminary googling revealed these to be most common in events 5156 and 5152). Props.conf:</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set= throwoutlocal </CODE></PRE> <P>and transforms.conf:</P> <PRE><CODE>[throwoutlocal] REGEX = Destination\sAddress\:\s192\.168\. DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>A more reliable solution would be to use the cool method runals provided in the other answer - you won't miss any events at all, and you'll still cut down on the license and storage capacity for those prattling windows event logs.</P> Mon, 10 Aug 2015 13:30:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157936#M44487 jeffland 2015-08-10T13:30:50Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157937#M44488 <P>You could also look at re-writing the events to make them smaller = less license: <A href="http://runals.blogspot.com/2014/07/taming-verbose-windows-logs-in-splunk.html">http://runals.blogspot.com/2014/07/taming-verbose-windows-logs-in-splunk.html</A></P> Mon, 10 Aug 2015 14:50:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157937#M44488 Runals 2015-08-10T14:50:54Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157938#M44489 <P>Thanks for getting back to me. I'm very new to regex but that looks like you're keeping the events with 192.168. in them? I need to drop those ones and keep the rest. What do you think?</P> Tue, 11 Aug 2015 06:55:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157938#M44489 pdjhh 2015-08-11T06:55:21Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157939#M44490 <P>I have already added something to the answer in the meantime, does that help you out?</P> Tue, 11 Aug 2015 07:09:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157939#M44490 jeffland 2015-08-11T07:09:27Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157940#M44491 <P>I've just thrown it in, will need to let it run for a while so thanks, will write back.</P> Tue, 11 Aug 2015 07:32:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157940#M44491 pdjhh 2015-08-11T07:32:51Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157941#M44492 <P>Mmm, I'm still getting the events with destination_address=192.168.x.x</P> Tue, 11 Aug 2015 07:40:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157941#M44492 pdjhh 2015-08-11T07:40:10Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157942#M44493 <P>Check your raw windows event logs. I based the above regex on a sample event I found for that event code, maybe yours looks differently? Please post a raw event.</P> Tue, 11 Aug 2015 07:44:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157942#M44493 jeffland 2015-08-11T07:44:14Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157943#M44494 <P>08/11/2015 05:48:23 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=5156<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=vm50_Template<BR /> TaskCategory=Filtering Platform Connection<BR /> OpCode=Info<BR /> RecordNumber=29313482<BR /> Keywords=Audit Success<BR /> Message=The Windows Filtering Platform has permitted a connection.</P> <P>Application Information:<BR /> Process ID: 1628<BR /> Application Name: \device\harddiskvolume2\program files\vmware\vmware view\agent\bin\wsnm_jms.exe</P> <P>Network Information:<BR /> Direction: Outbound<BR /> Source Address: 192.168.10.200<BR /> Source Port: 49159<BR /> Destination Address: 192.168.6.21<BR /> Destination Port: 4001<BR /> Protocol: 6</P> <P>Filter Information:<BR /> Filter Run-Time ID: 76977<BR /> Layer Name: Connect<BR /> Layer Run-Time ID: 48</P> Tue, 11 Aug 2015 07:52:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157943#M44494 pdjhh 2015-08-11T07:52:43Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157944#M44495 <P>The regex should work then. Strange.<BR /> You did restart the forwarder I assume? Can you confirm the settings with btool?</P> Tue, 11 Aug 2015 07:58:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157944#M44495 jeffland 2015-08-11T07:58:07Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157945#M44496 <P>IT could be working now I'm not sure as I'm not getting any hits. The connections to non 192 addresses are few and far between so I'll leave it run for a while. If I see any events destined for non 192 addresses then we must be there..</P> Tue, 11 Aug 2015 08:39:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157945#M44496 pdjhh 2015-08-11T08:39:34Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157946#M44497 <P>I'm seeing a huge number less events but still ones with 192 destination addresses. Problem with that is I don't really know what's working and what isn't. Will need to look deeper. Thanks.</P> Tue, 11 Aug 2015 08:58:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157946#M44497 pdjhh 2015-08-11T08:58:41Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157947#M44498 <P>I had the .conf files in the wrong location on the forwarder! Moved them to etc/system/local and started to take effect. Based on that I moved onto the solution mentioned by runals below which also worked after some addtional field extractions I had to do on the newly trimmed events.</P> <P>Thanks guys.</P> Tue, 11 Aug 2015 12:41:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157947#M44498 pdjhh 2015-08-11T12:41:27Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157948#M44499 <P>Hi there. This did indeed work for me and I got my events down from 766 to about 170. Looking forward to seeing the license usage tomorrow. I had to do some new field extractions but the trimmed events were neat and tidy so easy to do. Thanks a lot.</P> Tue, 11 Aug 2015 12:42:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-props-conf-and-transforms-conf-to-filter-out-a/m-p/157948#M44499 pdjhh 2015-08-11T12:42:31Z