Hi fellas,
Testing the product out.
Have 2012 DC --> UF --> Splunk test environment
I've figured out how to configure the inputs.conf to only allow specific event IDs through the whitelist
Is it possible to also only filter on a wildcard username? Let's say I have an environment where every admin starts with SUPER_ADMIN_X
Been trying to figure it out with no luck.
This is what I've been working with:
[WinEventLog://Security]
disabled = 0
# only index events with these event IDs.
whitelist = 4624,4634
Message = Account\sName:\s+*super*
Did this with props.conf and transforms.conf
Props.conf
[source::*:Security]
TRANSFORMS-set = setnull,seclog
transforms.conf
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc
(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)
Hope this helps someone in the future.
Cheers!
Did this with props.conf and transforms.conf
Props.conf
[source::*:Security]
TRANSFORMS-set = setnull,seclog
transforms.conf
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc
(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)
Hope this helps someone in the future.
Cheers!
I think you are looking for this :
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Keep_specific_event...
let me know if this helps!
Thanks - been down this road - but to no avali.
Would you happen to have an example of multi-line filtering?
Such as
All Events for 1234, 4321
and
All those events for a wildcard username "admin_*" for example?
I haven't had much luck with my googlefu.