Getting Data In

Drop Windows Event Logs with EventID 5156 and not RFC 1918

rtalcik
Path Finder

HI All,

   So i wrote this in attempt to reject all RFC1918  TO RFC1918 logs for windows event logs with WID 5156.  basically log anything external but not internal to internal communication.  The sample log is a sniplet of what i am trying to drop.

 

 

Props.conf

 

 

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCode5156Drop,WinEventCodeSecDrop,WinEventCodeSecPass

 

 

 

 

Transforms.conf  (Is order of operations my issue here?)

 

 

[WinEventCode5156Drop]
REGEX=((EventCode(?:\S+)5156)[\s\S]*(((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.))|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168))[\s\S]*((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168)))
DEST_KEY = queue
FORMAT = nullQueue


[WinEventCodeSecDrop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue



[WinEventCodeSecPass]
REGEX=(?:^EventCode=|<EventID>)(4618|4649|4719|4765|4766|4794|4897|4964|5124|550|1102|4621|4675|4692|4693|4706|4713|4714|4715|4716|4724|4727|4735|4737|4739|4754|4755|4764|4764|480|4816|4865|4866|4867|4868|4870|4882|4885|4890|4892|4896|4906|4907|4908|4912|4960|4961|4962|4963|4965|4976|4977|4978|4983|4984|5027|5028|5029|5030|5035|5037|5038|5120|5121|5122|5123|5376|5377|5453|5480|5483|5484|5485|6145|6273|6274|6275|6276|6277|6278|6279|6280|640|619|24586|24592|24593|2454|4608|4609|4610|4611|4612|4614|4615|4616|4622|4624|4625|4634|4646|4647|4648|4650|4651|4652|4653|4654|4655|4656|4657|4658|4659|4660|4661|4662|4663|4664|4665|4666|4667|4668|4670|4671|4672|4673|4674|4688|4689|4690|4691|4694|4695|4696|4697|4698|4699|4700|4701|4702|4704|4705|4707|4709|4710|4711|712|4717|4718|4720|4722|4723|4725|4726|4728|4729|4730|4731|4732|4733|4734|4738|4740|4741|4742|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|473|4756|4757|4758|4759|4760|4761|4762|4767|4768|4769|4770|4771|4772|4774|4775|4776|4777|4778|4779|4781|4782|4783|4784|4785|4786|4787|4788|4789|4790|4793|4800|4801|4802|4803|4864|4869|4871|4872|4873|4874|4875|4876|4877|4878|4879|4880|4881|4883|4884|4886|4887|4888|4889|4891|4893|4894|4895|4898|902|4904|4905|4909|4910|4928|4929|4930|4931|4932|4933|4934|4935|4936|4937|4944|4945|4946|4947|4948|4949|4950|4951|4952|4953|4954|4956|4957|4958|499|4980|4981|4982|4985|5024|5025|5031|5032|5033|5034|5039|5040|5041|5042|5043|5044|5045|5046|5047|5048|5050|5051|5056|5057|5058|5059|5060|5061|5062|5063|5064|5065|5066|5067|5068|5069|5070|5125|5126|5127|5136|5137|5138|5139|5140|5141|5152|5153|5154|5155|5156|5157|5158|5159|5378|5440|5441|5442|443|5444|5446|5447|5448|5449|5450|5451|5452|5456|5457|5458|5459|5460|5461|5462|5463|5464|5465|5466|5467|5468|5471|5472|5473|5474|5477|5479|5632|5633|5712|5888|5889|5890|608|6144|6272|561|563|625|613|614|615|616|24577|24578|24579|24580|24581|24582|24583|24584|24588|24595|24621|5049|5478)
DEST_KEY = queue
FORMAT = indexQueue 

 

 

 

I can't figure out why this isn't working.

 

 

 

Sample Log

 

 

10/21/2021 10:06:05 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName= (REDACTED BY ME THE POSTER)
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=7865970185
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		1548
	Application Name:	\device\harddiskvolume4\windows\system32\dns.exe

Network Information:
	Direction:		Inbound
Source Address:                 10.10.211.7
	Source Port:		53
Destination Address:            10.1.0.0
	Destination Port:       57834
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	90427
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

 

 

 

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...