Archive
Highlighted

I need to filter out logs that have "Account Name: SERVER01$"

New Member

Hello everybody,

I'm new in this field and I have one question.
We have too many windows security logs indexed that are generated by machine accounts.
I want to filter out logs that looks like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4658
EventType=0
Type=Information
ComputerName=comp1.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=4463688
Keywords=Audit Success
Message=The handle to an object was closed.

Subject :
Security ID: DOMAIN1\SERVER01$
Account Name: SERVER01$
Account Domain: DOMAIN1
Logon ID: 0x347732

I need to filter out logs that have "Account Name: SERVER01$".
What is the best way to do this?
I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.

Please help!

Tags (1)
0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

Legend

You need to blacklist your [WinEventLog://Security] input in inputs.conf

blacklist= EventCode="4658"

Refer to the documentation for using Whitelist and Blacklist in input.conf
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_f...

Also for specs and conf of inputs.conf please refer http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

New Member

niketnilay thanks on answer but i need eventcode 4658.
I want to filter out only machine account Account Name: SERVER01$ that generates these logs. Other accounts I need.

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

Esteemed Legend

Do you need to prevent them from being indexed or do you need them to be dropped from a specific search's results set?

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

New Member

I need to prevent them from being indexed.

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

Esteemed Legend

See my answer.

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

Esteemed Legend

Assuming that the sourcetype is WinEventLog:Security:

In props.conf:

[source::WinEventLog:Security]
TRANSFORMS-eliminate-4658-SERVER01 = eliminate-4658-SERVER01

In transforms.conf:

[eliminate-4658-SERVER01]
REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue

You will need to restart splunkd on EVERY indexer and even then, only post-restart events will be dropped (what is in is in).

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

New Member

Woodcock thanks, but after your proposed changes I now have a situation that all of mine security logs from this particular machine is filtered out. Not only 4658 with account name SERVER01$ but all.
Do you have any idea?

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

Esteemed Legend

First, I forgot 1 key configuration: FORMAT = nullQueue (I updated the answer). But that mistake should not have caused what you are describing. Fix that mistake and if it doesn't behave, then perhaps there is something else that you added that is doing this (e.g. blacklist).

0 Karma
Highlighted

Re: I need to filter out logs that have "Account Name: SERVER01$"

New Member

Props.conf
[source::WinEventLog:Security]
TRANSFORMS-filterWinSecNull = filterWinSecNull

Transforms.conf
[filterWinSecNull]
REGEX = (?ms)[\s\r\n]+EventCode\s=\s4658[\s\r\n]+.[\s\r\n]+Account\s+Name:\sSERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue

These are my props.conf and transforms.conf files.
I don't have any blacklists.
This configuration filters out all windows security logs from that particular machine that has lots of logs with Account name SERVER01$.

Do you have any ideas?
.
Thanks in advance

0 Karma