Hi,
I have a stanza which looks like this:
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=true
#Block events
whitelist = $XmlRegex='Level="2"'
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
If I remove the whitelist I get all the event types. However I only want the Error events. Without the renderXml option, my whitelist would look like this:
whitelist = Type="Error"
However, when rendered in Xml the event level is rendered like this <level>2</level>
However, the documentation has only the most basic example of searching for text when using renderXml.
Does anyone have any experience in advanced syntax for this option? I've tried:
whitelist = $XmlRegex='Level="2"'
whitelist = $XmlRegex=Level="2"
whitelist = $XmlRegex="\<Level\>2"
Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the <
which was causing it to fail. Actually none of the characters in <Level>2</Level>
are special.
I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.
Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the <
which was causing it to fail. Actually none of the characters in <Level>2</Level>
are special.
I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.
Hi,
I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.
I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)
index=* | regex _raw="(?<=Level\>)(4)"
If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want
whitelist = $XmlRegex = '(?<=Level\>)(4)'
blacklist = $XmlRegex = '(?<=Level\>)(4)'
I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.
Hi,
It's a standard windows event log. Apologies that my link to the Splunk documentation didn't work. You can see a sample event in here
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowseventlogdata
Scroll down to the heading: Display Windows Event Log events in XML
try using whitelist = $XmlRegex=Event.System.Level=2
Well I tried something very similar. Would you need to escape the <
Like this 2\
Forward slashes don't require escaping in my experience.
2<\/Level>
Without the escaping, the regex isn't working
Hmm, the web portal mangled my reply.
Have you tested the above? I tried something very similar (see my OP) and it didn't work.
Thanks for your suggestion, but it didn't work. Here is a sample of the actual event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8002</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-01-20T22:30:09.805334100Z'/><EventRecordID>28242</EventRecordID><Correlation/><Execution ProcessID='4640' ThreadID='7872'/><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>HOSTNAME</Computer><Security UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>DLL</PolicyName><RuleId>{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}</RuleId><RuleNameLength>37</RuleNameLength><RuleName>(Default Rule) Microsoft Windows DLLs</RuleName><RuleSddlLength>57</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl><TargetUser>S-1-5-21-3206126476-1968031584-1518185873-1130</TargetUser><TargetProcessId>4640</TargetProcessId><FilePathLength>22</FilePathLength><FilePath>%SYSTEM32%\NTMARTA.DLL</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>117</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NTMARTA.DLL\10.0.17763.01</Fqbn><TargetLogonId>0x71c37ca</TargetLogonId></RuleAndFileData></UserData></Event>
2<\/Level> tried this?
Thanks for your suggestion, but this whitelist didn't work. With the input enabled all events are forwarded. I've tried it as you suggested and have put the "2" in quotes.
Here is a copy and paste of an actual event:
xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> Name='Microsoft-Windows-AppLocker'
Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/>800204000x8000000000000000 SystemTime='2020-01-20T22:30:09.805334100Z'/>28242 ProcessID='4640'
ThreadID='7872'/>Microsoft-Windows-AppLocker/EXE
and
DLLZPVWMGT01X.dmz.amsa.gov.au UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/> xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>3DLL{bac4b0bf-6f1b-40e8-8627-8... Rule) Microsoft Windows
DLLs57D:(XA;;FX;;;S-1-1-0;(APPID://PATH
Contains
"%WINDIR%*"))S-1-5-21-3206126476-1968031584-1518185873-1130464022%SYSTEM32%\NTMARTA.DLL0117O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\NTMARTA.DLL\10.0.17763.010x71c37ca
Can you provide a sample event?