topic Re: REGEX problem transforms.conf WinEventLog:Security in Splunk Search

REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 14:56:03 GMT

Hey, Im having problems with my REGEX expression, Im trying to filter out the following

If an event has Type = Success Audit OR [Type = Information AND Keywords = Audit Success]

The below event should get filtered out:

**06/16/11 03:32:33 PMLogName=SecuritySourceName=Microsoft Windows security auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403184238
Show all 30 lines
host=DBPP-AD1-08 Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options| Keywords=Audit Success Options| Type=Information Options**

transforms.conf

[nullFilter]

REGEX = (?m)^(Type= Success Audit) | (Type = information && Keywords = Success Audit)

DEST_KEY = queue

FORMAT = nullQueue

Thanks for the help!**

Re: REGEX problem transforms.conf WinEventLog:Security

dshpritz — Thu, 16 Jun 2011 15:51:35 GMT

You may want to try:
REGEX = (?m)^(Type=Success\sAudit)|(Keywords=Audit\sSuccess.*Type=Information\sOptions)

Re: REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 16:19:53 GMT

Thanks dshpritz, but I still get all these types in new searches of sourcetype="WinEventLog:Security"
I restarted the splunk after editing the transforms.conf.
Here is my props.conf:

[source::WinEventLog:Security]

TRANSFORMS-nullQ= nullFilter

Iv added an event below that came in after the modification.

Re: REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 16:19:58 GMT

auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403243973Keywords=Audit SuccessMessage=The Windows Filtering Platform has permitted a connection.Application Information: Process ID: 780 Application Name: \device\harddiskvolume2\windows\system32\svchost.exeNetwork Information: Direction: Inbound Source Address: 10.10.10.1 Source Port: 135 Destination Address: 10.10.12.184 Destination Port: 2562 Protocol: 6Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

Re: REGEX problem transforms.conf WinEventLog:Security

dshpritz — Thu, 16 Jun 2011 16:30:37 GMT

if you take out the "(?m)^" at the start of the regex, does that help?

Re: REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 16:41:23 GMT

I tried taking it out, but still nothing, everything seems to get though...

Its very strange, Here the directory I have the two files in.. any reason why you think its failing to capture?

uoms@DBPP-Splunk:/opt/splunk/etc/system/local$ ls -la

-rwxrwxr-x 1 splunk splunk 18665 2011-06-13 17:15 props.conf

-rwxrwxr-x 1 splunk splunk 10793 2011-06-16 17:35 transforms.conf

Thanks,

Re: REGEX problem transforms.conf WinEventLog:Security

dshpritz — Thu, 16 Jun 2011 16:50:52 GMT

You can change the regex to something which will always capture (like (.*)) to make sure Splunk is picking up the transform.

Also, is the event displaying correctly on the Answers site (with line breaks, etc)?

Re: REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 17:03:02 GMT

I tried putting in (.*) as you suggested so I can see the transform is working, as I see nothing coming in.
No the events arent displaying correctly here which is a bit annoying, it seems to ignore the line breaks. Ill try to print what its like on splunk web with spaces inbetween lines

Re: REGEX problem transforms.conf WinEventLog:Security

nrelihan — Thu, 16 Jun 2011 17:05:05 GMT

06/16/11 05:52:59 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=5145

EventType=0

Type=Information

ComputerName=DBPP-AD1-08.UOMS.IE

TaskCategory=Detailed File Share

OpCode=Info

RecordNumber=403262630

Keywords=Audit Success

Message=A network share object was checked to see whether client can be granted desired access.

Re: REGEX problem transforms.conf WinEventLog:Security

dshpritz — Thu, 16 Jun 2011 17:51:47 GMT

There was a comment which came through email, but not displayed here which showed the event data. Another regex to try:

Type=Information\n(.*\n)*Keywords=Audit\sSuccess|Type=Success\sAudit

Re: REGEX problem transforms.conf WinEventLog:Security

dshpritz — Fri, 17 Jun 2011 14:19:51 GMT

Posted this yesterday, but it didn't seem to take. Based on the event shown in the email I got, here is another regex to try:
Type=Information\n(.*\n)+Keywords=Audit\sSuccess|Type=Success\sAudit

Re: REGEX problem transforms.conf WinEventLog:Security

matthewhaswell — Fri, 23 Sep 2011 13:02:35 GMT

Try one at a time - then try and expand it, also I notice you have spaces in your regex?

If you need 2 then do something like this:
props.conf:
TRANSFORMS-set = setnullevents1,setnullevents2

and then transforms.conf:

[setnullevents1]
blah

[setnullevents2]
blah

From our working one to filter out specific hosts and events:

[setnullevents]
REGEX = (?ms)(EventCode=(17503|6105|6107|6106|6201)\D).*(ComputerName=(COMP-001|COMP-002|COMP-003))

DEST_KEY = queue

FORMAT = nullQueue