Getting Data In

How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

CaptainHook
Communicator

Using Splunk 6.4.1
I am trying to monitor the WinEventLog://Security; however, I only need to monitor two EventCodes (4732 and 4624). Additionally, we are looking to remove all service accounts from the indexing. (i.e. NT AUTHORITY, kerberos, etc...)

I had tried using a black/white list with no luck and now I am working through trying to utilize transforms.conf.

Any help would be appreciated.

1 Solution

wrangler2x
Motivator

In props.conf:

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCodeSecDrop,WinEventCodeSecPass

In transforms.conf:

[WinEventCodeSecDrop]
REGEX = . 
DEST_KEY = queue
FORMAT = nullQueue

[WinEventCodeSecPass]
REGEX = (?m)^EventCode=(4624|4732)[^0-9]
DEST_KEY = queue 
FORMAT = indexQueue

This is the "traditional" way to do this. As of Splunk 6.x there is a new way. For that, take a look at this Splunk Answer and this blog entry:

  1. https://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes.html
  2. http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

View solution in original post

CaptainHook
Communicator

This is what I am trying just to remove the EventCode:

# props.conf
[WinEventLog://Security] 
TRANSFORMS-security= events-null, events-null3, events-filter

# transforms.conf
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-null3]
REGEX=Logon Type=\\s*(3)\\D
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
REGEX – (?WinEventLog)^EventCode=(4688|4689|5152|4673|4634|4672|4674|4656|5447|4985|4648|4957|4611|4738|4724|6144)\\D
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

wrangler2x
Motivator

I just noticed you have // in your props.conf stanza header. That is the source You need either

[WinEventLog:Security]

OR

[source::WinEventLog://Security]

The first is the sourcetype that gets assigned automatically when you splunk WinEvenLog:Security logs, and the second is the actual source you would specify in inputs.conf. Either should work, but I always use sourcetype.

I also just noticed that your REGEX has a hyphen following it, rather than an = equals sign. Also, AFAIK, (?WinEventLog) isn't a thing. What goes in () is explained here: http://www.regular-expressions.info/modifiers.html

0 Karma

CaptainHook
Communicator

Wrangler2x, thank you. You are correct on the (?WinEventLog), I had used (?msi) and (?m), i copied over the wrong config. Great catch on the "="

Great advice on both accounts and I now have the events recording with just those two EventCodes.

0 Karma

wrangler2x
Motivator

In props.conf:

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCodeSecDrop,WinEventCodeSecPass

In transforms.conf:

[WinEventCodeSecDrop]
REGEX = . 
DEST_KEY = queue
FORMAT = nullQueue

[WinEventCodeSecPass]
REGEX = (?m)^EventCode=(4624|4732)[^0-9]
DEST_KEY = queue 
FORMAT = indexQueue

This is the "traditional" way to do this. As of Splunk 6.x there is a new way. For that, take a look at this Splunk Answer and this blog entry:

  1. https://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes.html
  2. http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

wrangler2x
Motivator

Ignore the 5. and 10. in the transforms.conf box. They were automagically put there when I posted this answer.

0 Karma

CaptainHook
Communicator

Thank you. I set up the configs using that format and it is working to only show those EventCodes. Thank you for that.

I thought it would be better to use a whitelist so, the Indexer is not doing all the work; however, that was not working.

To exclude certain ID's on those events, do you have any suggestions?

0 Karma

wrangler2x
Motivator

You can run these things on a forwarder if it is a heavy forwarder (that is, Enterprise Splunk). You'll want to disable the web interface.

As to exclude certain IDs, you already are excluding all other Event Codes but 4624 and 4732 with this configuration. However, you can add a third props.conf transform ref (making sure it is after WinEventCodeSecPass in props.conf) and then add it to transforms.conf like this (well call it WinEventCodeSecDrop2):

[WinEventCodeSecDrop2]
REGEX = (?m)^...
DEST_KEY = queue
FORMAT = nullQueue

Where ... is your regular expression. I had one case where I was whitelisting Event Code 697 but I had one computer which was very noisy on this Event Code so I wrote a regex to match on just that kind of log entry and drop it. So my ... regex line looked like this:

REGEX = (?m)^EventCode=697\D^EventType=8\D^Type=Success Audit\D^ComputerName=NOVA\D^User=sqladmin\D

the (?m) in the regex says the data is multi-line -- which Windows Event logs are, and the carat ^ after that says to start at the beginning of the line. The \D is matching on any character that is not a digit, which would include new line characters. Notice that each new line has a carat too.

In any case, that is but one example of adding a third drop, processed after the pass, because if done before the pass the pass will pick it back up.

0 Karma

wrangler2x
Motivator

Also, I since discovered you can use [\r\n]+ as a character-class to match end-of-line characters in Windows logs. In Windows the file is stored with carriage return, line feed.

\r matches carriage return (0x0D)
\n matches line feed (0x0A).

So, use [\r\n]+ instead of \D for matching a line break (end of line, then new line).

More on this when you scroll down to Line Break Characters

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...