All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows TA XmlFixup source transforms not applying

c_boggs
Explorer
‎10-24-2018 11:11 AM

Utilizing Splunk_TA_windows 5.0.1, on Splunk 7.1.2 - I have applocker event log inputs defined (with renderXml = true) on various hosts running the Universal Forwarder, with no sourcetype set in the inputs.conf.

The issue is that the TA is not properly setting the expected source for an XmlWinEventLog* sourcetyped event. They remain as they were before the TA upgrade - which is "WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" instead of the expected "XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL".

It gets more confusing because the TA renames sourcetypes at search time with a props "rename" option, but I was able to verify the sourcetype is indexed correctly by searching using _sourcetype instead and getting the expected results.

On our heavy forwarder, I dug into the TA and found a couple wildcard stanzas that apply transforms which are supposed to change the source and sourcetype:

default\props.conf

[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

[(?::){0}XmlWinEventLog:*]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

default\transforms.conf

[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1

However, these don't seem to be matching events properly, in this specific example, an event sourcetyped "XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL".

To test, I added the following stanza in the windows TA local\props.conf on the HF and restarted it:

[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

And I get the expected results - the transforms now apply to that sourcetype, and the correct source of "XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" is now indexed.

Is this a bug in the TA or my version of Splunk with the "undocumented" sourcetype stanza wildcard method, or have I got something misconfigured?

0 Karma
Reply

bhargavnariyani
Path Finder
‎10-26-2018 12:19 AM

Hey @c.boggs,
As I didn't have a live event for the same, I verified this using make results on Splunk 7.0.0 Standalone machine, by installing the latest Windows TA-5.0.1
Things did work as expected for me, source converted to XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL while sourcetype to XmlWinEventLog
I don't think there is an issue with TA.
Still a sample event from you can be helpful to crosscheck.
PFA of my sample event got correctly assigned source and sourcetype screenshot.alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...