- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to configure a heavy forwarder to filter o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello guys
I'm trying to drop the end of all Security events:
This event is generated when a logon session is created. It is generated on the computer that was accessed.
....
My conf files on Heavy Forwarder is:
transforms.conf
[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1
props.conf
[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en
However, this does not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The syntax looks correct so just three questions:
- Have you restarted your Heavy Forwarder after making those changes?
- Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
- How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?
Alternatively try the following SEDCMD line in your system/local/props.conf:
[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g
Source:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The syntax looks correct so just three questions:
- Have you restarted your Heavy Forwarder after making those changes?
- Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
- How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?
Alternatively try the following SEDCMD line in your system/local/props.conf:
[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g
Source:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your variant with SEDCMD works good
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No worries.
If I were you I would still try to debug what's going on with the props and transforms alternative as I couldn't see anything wrong with it. Keep in mind you might want to use this syntax in future for a different use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 Yes, I have restarted my HF
2 My conf files is in SPLUNk_HOME$system/local
3 My configuration is very simple
UF->HF->INDEXER
What is the difference between
[source::WinEventLog:Security]
[WinEventLog:Security]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[source::WinEventLog:Security] --> uses the source field as a filter
[WinEventLog:Security] --> uses the sourcetype field as a filter
In terms of precedence, source will override sourcetype (and host) for settings that are specified in multiple categories of matching [] stanzas.
See details below from props.conf documentation:
[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs, as appropriate
for what you want to do.
* If you do not set an attribute for a given <spec>, the default is used.
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.
**[<spec>] stanza precedence:**
For settings that are specified in multiple categories of matching [<spec>] stanzas,
[host::<host>] settings override [<sourcetype>] settings. Additionally,
[source::<source>] settings override both [host::<host>] and
[<sourcetype>] settings.
Based on what you are saying, can you run btool in your heavy forwarder in order to identify potential app conflicts in your props.conf and transforms.conf files?
./splunk cmd btool props list --debug
./splunk cmd btool transforms list --debug
Hope that helps
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
