Getting Data In

How to configure a heavy forwarder to filter out the ending string from Windows security event logs?

kalianov
Path Finder

Hello guys

I'm trying to drop the end of all Security events:

This event is generated when a logon session is created. It is generated on the computer that was accessed.
....

My conf files on Heavy Forwarder is:

transforms.conf

[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1

props.conf

[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en

However, this does not work.

0 Karma
1 Solution

javiergn
Super Champion

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

View solution in original post

javiergn
Super Champion

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

kalianov
Path Finder

Your variant with SEDCMD works good
Thanks a lot!

0 Karma

javiergn
Super Champion

No worries.
If I were you I would still try to debug what's going on with the props and transforms alternative as I couldn't see anything wrong with it. Keep in mind you might want to use this syntax in future for a different use case.

0 Karma

kalianov
Path Finder

1 Yes, I have restarted my HF
2 My conf files is in SPLUNk_HOME$system/local
3 My configuration is very simple
UF->HF->INDEXER

What is the difference between
[source::WinEventLog:Security]
[WinEventLog:Security]

0 Karma

javiergn
Super Champion

[source::WinEventLog:Security] --> uses the source field as a filter
[WinEventLog:Security] --> uses the sourcetype field as a filter

In terms of precedence, source will override sourcetype (and host) for settings that are specified in multiple categories of matching [] stanzas.

See details below from props.conf documentation:

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs, as appropriate
  for what you want to do.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>] stanzas,
[host::<host>] settings override [<sourcetype>] settings. Additionally,
[source::<source>] settings override both [host::<host>] and
[<sourcetype>] settings.

Based on what you are saying, can you run btool in your heavy forwarder in order to identify potential app conflicts in your props.conf and transforms.conf files?

./splunk cmd btool props list --debug
./splunk cmd btool transforms list --debug

Hope that helps

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...