Getting Data In

How to configure a heavy forwarder to filter out the ending string from Windows security event logs?

kalianov
Path Finder

Hello guys

I'm trying to drop the end of all Security events:

This event is generated when a logon session is created. It is generated on the computer that was accessed.
....

My conf files on Heavy Forwarder is:

transforms.conf

[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1

props.conf

[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en

However, this does not work.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

View solution in original post

javiergn
SplunkTrust
SplunkTrust

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

kalianov
Path Finder

Your variant with SEDCMD works good
Thanks a lot!

0 Karma

javiergn
SplunkTrust
SplunkTrust

No worries.
If I were you I would still try to debug what's going on with the props and transforms alternative as I couldn't see anything wrong with it. Keep in mind you might want to use this syntax in future for a different use case.

0 Karma

kalianov
Path Finder

1 Yes, I have restarted my HF
2 My conf files is in SPLUNk_HOME$system/local
3 My configuration is very simple
UF->HF->INDEXER

What is the difference between
[source::WinEventLog:Security]
[WinEventLog:Security]

0 Karma

javiergn
SplunkTrust
SplunkTrust

[source::WinEventLog:Security] --> uses the source field as a filter
[WinEventLog:Security] --> uses the sourcetype field as a filter

In terms of precedence, source will override sourcetype (and host) for settings that are specified in multiple categories of matching [] stanzas.

See details below from props.conf documentation:

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs, as appropriate
  for what you want to do.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>] stanzas,
[host::<host>] settings override [<sourcetype>] settings. Additionally,
[source::<source>] settings override both [host::<host>] and
[<sourcetype>] settings.

Based on what you are saying, can you run btool in your heavy forwarder in order to identify potential app conflicts in your props.conf and transforms.conf files?

./splunk cmd btool props list --debug
./splunk cmd btool transforms list --debug

Hope that helps

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...