Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username?

catsmeowor
Explorer
‎02-05-2018 01:38 PM

Hi fellas,

Testing the product out.
Have 2012 DC --> UF --> Splunk test environment

I've figured out how to configure the inputs.conf to only allow specific event IDs through the whitelist
Is it possible to also only filter on a wildcard username? Let's say I have an environment where every admin starts with SUPER_ADMIN_X

Been trying to figure it out with no luck.

This is what I've been working with:

[WinEventLog://Security]
disabled = 0
# only index events with these event IDs.
whitelist = 4624,4634 
Message = Account\sName:\s+*super*
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

catsmeowor
Explorer
‎02-08-2018 08:59 AM

Did this with props.conf and transforms.conf

Props.conf

[source::*:Security]
TRANSFORMS-set = setnull,seclog

transforms.conf

[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue

This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc 

(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)

Hope this helps someone in the future.
Cheers!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

catsmeowor
Explorer
‎02-08-2018 08:59 AM

Did this with props.conf and transforms.conf

Props.conf

[source::*:Security]
TRANSFORMS-set = setnull,seclog

transforms.conf

[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue

This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc 

(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)

Hope this helps someone in the future.
Cheers!

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎02-05-2018 11:12 PM

I think you are looking for this :
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Keep_specific_event...

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

catsmeowor
Explorer
‎02-06-2018 03:45 PM

Thanks - been down this road - but to no avali.

Would you happen to have an example of multi-line filtering?
Such as

All Events for 1234, 4321
and
All those events for a wildcard username "admin_*" for example?

I haven't had much luck with my googlefu.

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...