Getting Data In

How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username?

catsmeowor
Explorer

Hi fellas,

Testing the product out.
Have 2012 DC --> UF --> Splunk test environment

I've figured out how to configure the inputs.conf to only allow specific event IDs through the whitelist
Is it possible to also only filter on a wildcard username? Let's say I have an environment where every admin starts with SUPER_ADMIN_X

Been trying to figure it out with no luck.

This is what I've been working with:

[WinEventLog://Security]
disabled = 0
# only index events with these event IDs.
whitelist = 4624,4634 
Message = Account\sName:\s+*super*
0 Karma
1 Solution

catsmeowor
Explorer

Did this with props.conf and transforms.conf

Props.conf

[source::*:Security]
TRANSFORMS-set = setnull,seclog

transforms.conf

[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue

This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc

(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)

Hope this helps someone in the future.
Cheers!

View solution in original post

0 Karma

catsmeowor
Explorer

Did this with props.conf and transforms.conf

Props.conf

[source::*:Security]
TRANSFORMS-set = setnull,seclog

transforms.conf

[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue

This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc

(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)

Hope this helps someone in the future.
Cheers!

0 Karma

mayurr98
Super Champion
0 Karma

catsmeowor
Explorer

Thanks - been down this road - but to no avali.

Would you happen to have an example of multi-line filtering?
Such as

All Events for 1234, 4321
and
All those events for a wildcard username "admin_*" for example?

I haven't had much luck with my googlefu.

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...