I'm presently forwarding a number of different events to a receiver. It's working fine for complete events, (i.e 4729, 4728 etc.) but I would like to be able to forward on Both the Event ID and Logon Type.
For example in the below log's the EventCode is 4624 but the Logon Type is 3. I would like to be able to select EventCode=4624 and Logon_Type=(2|10). I've tried the below however I can't get it to select anything... I'm also thinking that the actual Logon Type is actually in the Message Field... But I'm not sure about this one...
Any help would be appreciated!
REGEX = (?msi)EventCode=4624.*(Message=Logon Type:*2|10)
DEST_KEY = _TCP_ROUTING
FORMAT = forwarder
---example event log---
Message=An account was successfully logged on.
Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
New Logon: Security ID: S-1-5-21-1275210071-113007714-1343024091-24644
Process Information: Process ID: 0x0 Process Name: -
Source Network Address: 10.10.10.10 Source Port: 2537
Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
There seems to be a problem with your regex. The regex
will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).
Something like this should work:
REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
disabled = 0