I'm new in this field and I have one question.
We have too many windows security logs indexed that are generated by machine accounts.
I want to filter out logs that looks like this:
SourceName=Microsoft Windows security auditing.
Message=The handle to an object was closed.
Security ID: DOMAIN1\SERVER01$
Account Name: SERVER01$
Account Domain: DOMAIN1
Logon ID: 0x347732
I need to filter out logs that have "Account Name: SERVER01$".
What is the best way to do this?
I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.
You need to blacklist your [WinEventLog://Security] input in inputs.conf
Refer to the documentation for using Whitelist and Blacklist in input.conf
Also for specs and conf of inputs.conf please refer http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
niketnilay thanks on answer but i need eventcode 4658.
I want to filter out only machine account Account Name: SERVER01$ that generates these logs. Other accounts I need.
Do you need to prevent them from being indexed or do you need them to be dropped from a specific search's results set?
Assuming that the
[source::WinEventLog:Security] TRANSFORMS-eliminate-4658-SERVER01 = eliminate-4658-SERVER01
[eliminate-4658-SERVER01] REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+ DEST_KEY = queue FORMAT = nullQueue
You will need to restart
splunkd on EVERY indexer and even then, only post-restart events will be dropped (what is in is in).
Woodcock thanks, but after your proposed changes I now have a situation that all of mine security logs from this particular machine is filtered out. Not only 4658 with account name SERVER01$ but all.
Do you have any idea?
First, I forgot 1 key configuration:
FORMAT = nullQueue (I updated the answer). But that mistake should not have caused what you are describing. Fix that mistake and if it doesn't behave, then perhaps there is something else that you added that is doing this (e.g.
TRANSFORMS-filterWinSecNull = filterWinSecNull
REGEX = (?ms)[\s\r\n]+EventCode\s=\s4658[\s\r\n]+.[\s\r\n]+Account\s+Name:\sSERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue
These are my props.conf and transforms.conf files.
I don't have any blacklists.
This configuration filters out all windows security logs from that particular machine that has lots of logs with Account name SERVER01$.
Do you have any ideas?
Thanks in advance