I am working with a customer that is trying to narrow down their Windows Security logs. They would like to isolate the Event Code to only 4732,4624, while excluding Logon Type "3" and the list of Account Names. This stanza does not seem to be working and I was hoping someone might be able to assist with either cleaning it up or suggesting a better solution.
[WinEventLog://Security]
whitelist1 = 4732,4624
disabled = 0
followTail = 0
index = xxxxx
ignoreOlderThan = 2d
sourcetype=xxxx_wineventlog_sec
blacklist1 = Message="Logon\sType:\s+(3|(\w+\$))"
blacklist2 = Message="Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$))"
Thank you.
This is the configuration that I have been able to get working. I appreciate all the assistance as this literally came down to trial and error.
whitelist1 = 4732,4624
blacklist = Message="Logon\sType:\t+3"
blacklist1 = Message="Account\sName:\t+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible)"
Thank you.
This is the configuration that I have been able to get working. I appreciate all the assistance as this literally came down to trial and error.
whitelist1 = 4732,4624
blacklist = Message="Logon\sType:\t+3"
blacklist1 = Message="Account\sName:\t+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible)"
Thank you.
I think the issue is that the Message
field contains more than just the Logon or the Account Name. If there's other stuff in the Message then I think you need to say that in the regex:
blacklist1 = Message=".*Logon\sType:\s+(3|(\w+\$)).*"
blacklist2 = Message=".*Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$)).*"
See the .*
before and after?
Sorry for the delayed response...
This is not working either; I am starting to think this may need to be handled from another approach. The whitelist for !=LogonType 3 sounds interesting, but I am not certain on how to write that in. Any suggestions there? Thank you.
Some regex tools: http://www.regexr.com/ and https://regex101.com/
In which way is not working? Is neither filter working? Or one but not the other?
I'm not sure if/how relevant, but the documentation mentions putting delimiters around the regex expression.
* key=regex format
* A whitespace-separated list of event log components to match, and
regexes to match against against them.
* There can be one match expression or multiple per line.
* The key must belong to the set of valid keys provided below.
* The regex consists of a leading delimiter, the regex expression, and a
trailing delimeter. Examples: %regex%, *regex*, "regex"
* When multiple match expressions are present, they are treated as a
logical AND. In other words, all expressions must match for the line to
apply to the event.
* If the value represented by the key does not exist, it is not considered
a match, regardless of the regex.
* Example:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
This was the trick for me :
it worked when I added % arround my regex like follow : %<Data Name='LogonType'>3<\/Data>%
It seems as if the filter for the logon type and the Account name work separately, but together they do not.
I think I misread the documentation, so you can ignore the comment about them being AND'd together. I think that is only if multiple expression in one blacklist entry.
The documentation does say that they would be AND'd together. So if both blacklist entries are there, are Logon Type 3 events excluded for those particular users? That's the way I think it would work.
Not sure what the solution would be, maybe find a way to whitelist one of those conditions instead? For example, whitelist any Messages that don't equal Logon Type 3?