Hello everybody,
I'm new in this field and I have one question.
We have too many windows security logs indexed that are generated by machine accounts.
I want to filter out logs that looks like this:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4658
EventType=0
Type=Information
ComputerName=comp1.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=4463688
Keywords=Audit Success
Message=The handle to an object was closed.
Subject :
Security ID: DOMAIN1\SERVER01$
Account Name: SERVER01$
Account Domain: DOMAIN1
Logon ID: 0x347732
I need to filter out logs that have "Account Name: SERVER01$".
What is the best way to do this?
I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.
Please help!
Maybe you want to use this -
| regex Account_Name!="\$$"
I am using this in my search string and it drop all the hostname$
Assuming that the sourcetype
is WinEventLog:Security
:
In props.conf:
[source::WinEventLog:Security]
TRANSFORMS-eliminate-4658-SERVER01 = eliminate-4658-SERVER01
In transforms.conf:
[eliminate-4658-SERVER01]
REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue
You will need to restart splunkd
on EVERY indexer and even then, only post-restart events will be dropped (what is in is in).
Woodcock thanks, but after your proposed changes I now have a situation that all of mine security logs from this particular machine is filtered out. Not only 4658 with account name SERVER01$ but all.
Do you have any idea?
First, I forgot 1 key configuration: FORMAT = nullQueue
(I updated the answer). But that mistake should not have caused what you are describing. Fix that mistake and if it doesn't behave, then perhaps there is something else that you added that is doing this (e.g. blacklist
).
Props.conf
[source::WinEventLog:Security]
TRANSFORMS-filterWinSecNull = filterWinSecNull
Transforms.conf
[filterWinSecNull]
REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue
These are my props.conf and transforms.conf files.
I don't have any blacklists.
This configuration filters out all windows security logs from that particular machine that has lots of logs with Account name SERVER01$.
Do you have any ideas?
.
Thanks in advance
It looks fine to me and it should work as you listed it. I am at a loss.
Do you need to prevent them from being indexed or do you need them to be dropped from a specific search's results set?
I need to prevent them from being indexed.
See my answer.
You need to blacklist your [WinEventLog://Security] input in inputs.conf
blacklist= EventCode="4658"
Refer to the documentation for using Whitelist and Blacklist in input.conf
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_f...
Also for specs and conf of inputs.conf please refer http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
niketnilay thanks on answer but i need eventcode 4658.
I want to filter out only machine account Account Name: SERVER01$ that generates these logs. Other accounts I need.