https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170460#M48770 <P>Thanks Luke! I will test this and get back to you.</P> Tue, 20 May 2014 08:29:05 GMT denisevw 2014-05-20T08:29:05Z https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170457#M48767 <P>Good day</P> <P>I read a few answers on the WinEventLog:Security filtering but it does not cover the answers I'm looking for.</P> <P>I need to filter out event codes but only the ones that contain an Account_Name: Local Service entry.</P> <P>The regex that I'm using in transforms.conf on the Indexers does not work:</P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-evtlog = eventnull<BR /> TRANSFORMS-wfevtlog = wfeventnull</P> <P>transforms.conf<BR /> <A href="https://community.splunk.com/?m">eventnull</A>^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.*?\$$))<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>[wfeventnull]<BR /> REGEX=(?m)^EventCode=(5152|5156|5157|5158)<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>Here is an example of the event I'm try to filter out:<BR /> 05/18/2014 10:11:31 PM <BR /> LogName=Security <BR /> SourceName=Microsoft Windows security auditing. <BR /> EventCode=4656 <BR /> EventType=0 <BR /> Type=Information <BR /> ComputerName=server.domain.local <BR /> TaskCategory=File System <BR /> OpCode=Info <BR /> RecordNumber=123456789 <BR /> Keywords=Audit Success <BR /> Message=A handle to an object was requested. </P> <P>Subject: <BR /> Security ID: NT AUTHORITY\LOCAL SERVICE <BR /> Account Name: LOCAL SERVICE <BR /> Account Domain: NT AUTHORITY <BR /> Logon ID: 0x3e5 </P> <P>Object: <BR /> Object Server: Security <BR /> Object Type: File <BR /> Object Name: \Device\Udp6 <BR /> Handle ID: 0xc930 </P> <P>Process Information: <BR /> Process ID: 0x1ac <BR /> Process Name: C:\Windows\System32\svchost.exe </P> <P>Access Request Information: <BR /> Transaction ID: {00000000-0000-0000-0000-000000000000} <BR /> Accesses: READ_CONTROL <BR /> SYNCHRONIZE <BR /> Execute/Traverse <BR /> ReadAttributes <BR /> Access Reasons: - <BR /> Access Mask: 0x1200a0 <BR /> Privileges Used for Access Check: - <BR /> Restricted SID Count: 0</P> Mon, 19 May 2014 20:02:24 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170457#M48767 denisevw 2014-05-19T20:02:24Z https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170458#M48768 <P>(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.<EM>?\$$))<BR /> should be:<BR /> REGEX=(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.</EM>?\$$))</P> Mon, 19 May 2014 20:20:17 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170458#M48768 denisevw 2014-05-19T20:20:17Z https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170459#M48769 <P>I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the <CODE>^</CODE>.</P> <P>Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.</P> <P><CODE>(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))</CODE></P> Mon, 19 May 2014 20:28:02 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170459#M48769 lukejadamec 2014-05-19T20:28:02Z https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170460#M48770 <P>Thanks Luke! I will test this and get back to you.</P> Tue, 20 May 2014 08:29:05 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170460#M48770 denisevw 2014-05-20T08:29:05Z https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170461#M48771 <P>This worked perfectly. Thank you very much!</P> Tue, 20 May 2014 10:14:04 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-WinEventLog-Security/m-p/170461#M48771 denisevw 2014-05-20T10:14:04Z