Archive

windows Event filtering

Path Finder

Hi

We are trying to discard some noisy events from a windows server with specific event ID and wanted to do this from index server(not from forwarder).

we are not sure if we can use the conditional statement on transforms.conf file? I have following sample file and will appreciate if you could help us

I have copied relevant stanza from /default to /local and created two files as below

/local/props.conf
[wmi]
SHOULDLINEMERGE = false
LINE
BREAKER = ([\r\n]+---splunk-wmi-end-of-event---\r\n[\r\n]*)
CHARSET = UTF-8
TRANSFORMS-wmi=wminull

/local/transforms.conf
[wminull]
REGEX = (?m)ComputerName=(hostname)
DEST_KEY = MetaData:Host
FORMAT = host::$1

---where do i put event ID?--------

Thank you

Tags (1)
0 Karma
1 Solution

Super Champion

This should work for you:

props.conf

     [source::wineventlog:security]
     TRANSFORMS-drop = delFilter

transforms.conf

    [delFilter]
    REGEX = (?msi)^EventCode=4776\D.*^Logon\s+Account:\s+dms-user.*^Source\s+Workstation:\s+dms-server
    DEST_KEY = queue
    FORMAT = nullQueue

You will notice that I changed your Server Name to Source Workstation because the EventCode 4776 does not have a Server Name field. If you meant Computer Name, then that would need to get inserted between Event Code and Logon Account. Like this:

[delFilter]
        REGEX = (?msi)^EventCode=4776\D.*^ComputerName=dms-server.*^Logon\s+Account:\s+dms-user
        DEST_KEY = queue
        FORMAT = nullQueue

Good questions.

1) Yes, they need to be created on the indexer unless there is a heavy forwarder in between the source and indexer – in which case they might need to go on the forwarder depending on whether or not the heavy forwarder is ‘cooking’ data.

2) For props.conf and transforms.conf, you may have other entries, but be careful that they don’t conflict with the entries for this filter.

3) WMI inputs and monitoring Windows Eventlogs are two different animals.

a. The_wolverine says that the source needs to be specified as wmi for wmi data, but can be the standard wineventlog:security for monitoring of event logs. But, that was an old post, so perhaps things have changed. You can read the post for yourself
here:

http://answers.splunk.com/answers/3239/try-to-route-certain-wmi-events-to-nullqueue

b. What this means is that for the props.conf [source::wineventlog:security] you might need to change it to [wmi].

I can’t test this until tomorrow.

View solution in original post

Super Champion

This should work for you:

props.conf

     [source::wineventlog:security]
     TRANSFORMS-drop = delFilter

transforms.conf

    [delFilter]
    REGEX = (?msi)^EventCode=4776\D.*^Logon\s+Account:\s+dms-user.*^Source\s+Workstation:\s+dms-server
    DEST_KEY = queue
    FORMAT = nullQueue

You will notice that I changed your Server Name to Source Workstation because the EventCode 4776 does not have a Server Name field. If you meant Computer Name, then that would need to get inserted between Event Code and Logon Account. Like this:

[delFilter]
        REGEX = (?msi)^EventCode=4776\D.*^ComputerName=dms-server.*^Logon\s+Account:\s+dms-user
        DEST_KEY = queue
        FORMAT = nullQueue

Good questions.

1) Yes, they need to be created on the indexer unless there is a heavy forwarder in between the source and indexer – in which case they might need to go on the forwarder depending on whether or not the heavy forwarder is ‘cooking’ data.

2) For props.conf and transforms.conf, you may have other entries, but be careful that they don’t conflict with the entries for this filter.

3) WMI inputs and monitoring Windows Eventlogs are two different animals.

a. The_wolverine says that the source needs to be specified as wmi for wmi data, but can be the standard wineventlog:security for monitoring of event logs. But, that was an old post, so perhaps things have changed. You can read the post for yourself
here:

http://answers.splunk.com/answers/3239/try-to-route-certain-wmi-events-to-nullqueue

b. What this means is that for the props.conf [source::wineventlog:security] you might need to change it to [wmi].

I can’t test this until tomorrow.

View solution in original post

Communicator

Just to note, still works completely fine. Used this as a base to get rid of Logoff events.

0 Karma

Path Finder

Thank you very much Luke very much appreciated and things are working as expected.

Thank you gain.

0 Karma

Super Champion

To insert another server in the ComputerName field, then you need to use the OR operator (otherwise|known as pipe).
For example:

ComputerName=(dms-server1|dms-server2)

0 Karma

Path Finder

Thanks Luke

All done its working now. I had to change the source in props.conf as below and it worked as charm.

[source::WinEventLog:ForwardedEvents]

Also if I want to filter another server with similar category can i just insert another REGEX line in transforms.conf file?

Thank you

0 Karma

Path Finder

Thanks for that and appreciated it

Let me confirm few things and please correct me if i am doing something wrong

1) Create two files (props.conf and transforms.conf)on index server(not on forwarder).
2) Two files doesn't have any other contains apart from above lines(of course with appropriate names).

How do we differentiate source type to be WMI or windowsEventlog?

Thank you

Super Champion

You don't need Source Workstation if you need ComputerName instead. I updated the answer with the code.

0 Karma

Super Champion

As you can see, putting code in comments is hard because the system strips out special characters. I'll update the answer to use ComputerName shortly.

0 Karma

Path Finder

Hi Luke

Thanks for the answer and you are right I meant Computer-Name not server name.

I didn't quite understand why s+Workstation:\s+dms-server needed if we just want to validate against three conditions(as above).

so which one would be right one?

REGEX = (?msi)^EventCode=4776\ComputerName=dms-server\D.^Logon\s+Account:\s+dms-user.^Source\s+Workstation:\s+dms-server

or

REGEX = (?msi)^EventCode=4776\ComputerName=dms-server\D.^Logon\s+Account:\s+dms-user.^Source

Thank you again.

0 Karma

Path Finder

Ya we are also trying to make sure all those three conditions are true(AND condition rather Than Or) before we drop the event.

Thank you

0 Karma

Super Champion

How funny is that, not one field but 3. It's still easy, but it will take a little time. Unfortunately, it is bed time for me.
What you're looking to do is to drop a particular event, and the solution will be based on the answer to this post:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-un...
As you can see, the regex will need to be modified to include the multiple field values you've specified.
If it is not already done by the time I wake up, I'll give you a solution in the morning.

0 Karma

Path Finder

Hi Luke Thanks for the reply

event ID:- 4776
logon account:- dms-user
Server Name :- dms-server

Thank you

0 Karma

Super Champion

This is very easy to do. But, we need more information.
Which events would you like to drop?

0 Karma