Using Splunk 6.4.1
I am trying to monitor the WinEventLog://Security; however, I only need to monitor two EventCodes (4732 and 4624). Additionally, we are looking to remove all service accounts from the indexing. (i.e. NT AUTHORITY, kerberos, etc...)
I had tried using a black/white list with no luck and now I am working through trying to utilize transforms.conf.
Any help would be appreciated.
[WinEventLog:Security] TRANSFORMS-sec = WinEventCodeSecDrop,WinEventCodeSecPass
[WinEventCodeSecDrop] REGEX = . DEST_KEY = queue FORMAT = nullQueue [WinEventCodeSecPass] REGEX = (?m)^EventCode=(4624|4732)[^0-9] DEST_KEY = queue FORMAT = indexQueue
This is the "traditional" way to do this. As of Splunk 6.x there is a new way. For that, take a look at this Splunk Answer and this blog entry:
10. in the transforms.conf box. They were automagically put there when I posted this answer.
Thank you. I set up the configs using that format and it is working to only show those EventCodes. Thank you for that.
I thought it would be better to use a whitelist so, the Indexer is not doing all the work; however, that was not working.
To exclude certain ID's on those events, do you have any suggestions?
You can run these things on a forwarder if it is a heavy forwarder (that is, Enterprise Splunk). You'll want to disable the web interface.
As to exclude certain IDs, you already are excluding all other Event Codes but 4624 and 4732 with this configuration. However, you can add a third props.conf transform ref (making sure it is after WinEventCodeSecPass in props.conf) and then add it to transforms.conf like this (well call it WinEventCodeSecDrop2):
[WinEventCodeSecDrop2] REGEX = (?m)^... DEST_KEY = queue FORMAT = nullQueue
... is your regular expression. I had one case where I was whitelisting Event Code 697 but I had one computer which was very noisy on this Event Code so I wrote a regex to match on just that kind of log entry and drop it. So my
... regex line looked like this:
REGEX = (?m)^EventCode=697\D^EventType=8\D^Type=Success Audit\D^ComputerName=NOVA\D^User=sqladmin\D
(?m) in the regex says the data is multi-line -- which Windows Event logs are, and the carat
^ after that says to start at the beginning of the line. The
\D is matching on any character that is not a digit, which would include new line characters. Notice that each new line has a carat too.
In any case, that is but one example of adding a third drop, processed after the pass, because if done before the pass the pass will pick it back up.
Also, I since discovered you can use
[\r\n]+ as a character-class to match end-of-line characters in Windows logs. In Windows the file is stored with carriage return, line feed.
\r matches carriage return (0x0D)
\n matches line feed (0x0A).
[\r\n]+ instead of \D for matching a line break (end of line, then new line).
More on this when you scroll down to Line Break Characters
This is what I am trying just to remove the EventCode:
# props.conf [WinEventLog://Security] TRANSFORMS-security= events-null, events-null3, events-filter # transforms.conf [events-null] REGEX = . DEST_KEY = queue FORMAT = nullQueue [events-null3] REGEX=Logon Type=\\s*(3)\\D DEST_KEY = queue FORMAT = nullQueue [events-filter] REGEX – (?WinEventLog)^EventCode=(4688|4689|5152|4673|4634|4672|4674|4656|5447|4985|4648|4957|4611|4738|4724|6144)\\D DEST_KEY = queue FORMAT = indexQueue
I just noticed you have
// in your props.conf stanza header. That is the source You need either
The first is the sourcetype that gets assigned automatically when you splunk WinEvenLog:Security logs, and the second is the actual source you would specify in inputs.conf. Either should work, but I always use sourcetype.
I also just noticed that your REGEX has a hyphen following it, rather than an
= equals sign. Also, AFAIK, (?WinEventLog) isn't a thing. What goes in () is explained here: http://www.regular-expressions.info/modifiers.html
Wrangler2x, thank you. You are correct on the (?WinEventLog), I had used (?msi) and (?m), i copied over the wrong config. Great catch on the "="
Great advice on both accounts and I now have the events recording with just those two EventCodes.