Getting Data In
Highlighted

How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Communicator

Using Splunk 6.4.1
I am trying to monitor the WinEventLog://Security; however, I only need to monitor two EventCodes (4732 and 4624). Additionally, we are looking to remove all service accounts from the indexing. (i.e. NT AUTHORITY, kerberos, etc...)

I had tried using a black/white list with no luck and now I am working through trying to utilize transforms.conf.

Any help would be appreciated.

Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Motivator

In props.conf:

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCodeSecDrop,WinEventCodeSecPass

In transforms.conf:

[WinEventCodeSecDrop]
REGEX = . 
DEST_KEY = queue
FORMAT = nullQueue

[WinEventCodeSecPass]
REGEX = (?m)^EventCode=(4624|4732)[^0-9]
DEST_KEY = queue 
FORMAT = indexQueue

This is the "traditional" way to do this. As of Splunk 6.x there is a new way. For that, take a look at this Splunk Answer and this blog entry:

  1. https://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes.html
  2. http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

View solution in original post

Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Motivator

Ignore the 5. and 10. in the transforms.conf box. They were automagically put there when I posted this answer.

0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Communicator

Thank you. I set up the configs using that format and it is working to only show those EventCodes. Thank you for that.

I thought it would be better to use a whitelist so, the Indexer is not doing all the work; however, that was not working.

To exclude certain ID's on those events, do you have any suggestions?

0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Motivator

You can run these things on a forwarder if it is a heavy forwarder (that is, Enterprise Splunk). You'll want to disable the web interface.

As to exclude certain IDs, you already are excluding all other Event Codes but 4624 and 4732 with this configuration. However, you can add a third props.conf transform ref (making sure it is after WinEventCodeSecPass in props.conf) and then add it to transforms.conf like this (well call it WinEventCodeSecDrop2):

[WinEventCodeSecDrop2]
REGEX = (?m)^...
DEST_KEY = queue
FORMAT = nullQueue

Where ... is your regular expression. I had one case where I was whitelisting Event Code 697 but I had one computer which was very noisy on this Event Code so I wrote a regex to match on just that kind of log entry and drop it. So my ... regex line looked like this:

REGEX = (?m)^EventCode=697\D^EventType=8\D^Type=Success Audit\D^ComputerName=NOVA\D^User=sqladmin\D

the (?m) in the regex says the data is multi-line -- which Windows Event logs are, and the carat ^ after that says to start at the beginning of the line. The \D is matching on any character that is not a digit, which would include new line characters. Notice that each new line has a carat too.

In any case, that is but one example of adding a third drop, processed after the pass, because if done before the pass the pass will pick it back up.

0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Motivator

Also, I since discovered you can use [\r\n]+ as a character-class to match end-of-line characters in Windows logs. In Windows the file is stored with carriage return, line feed.

\r matches carriage return (0x0D)
\n matches line feed (0x0A).

So, use [\r\n]+ instead of \D for matching a line break (end of line, then new line).

More on this when you scroll down to Line Break Characters

0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Communicator

This is what I am trying just to remove the EventCode:

# props.conf
[WinEventLog://Security] 
TRANSFORMS-security= events-null, events-null3, events-filter

# transforms.conf
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-null3]
REGEX=Logon Type=\\s*(3)\\D
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
REGEX – (?WinEventLog)^EventCode=(4688|4689|5152|4673|4634|4672|4674|4656|5447|4985|4648|4957|4611|4738|4724|6144)\\D
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Motivator

I just noticed you have // in your props.conf stanza header. That is the source You need either

[WinEventLog:Security]

OR

[source::WinEventLog://Security]

The first is the sourcetype that gets assigned automatically when you splunk WinEvenLog:Security logs, and the second is the actual source you would specify in inputs.conf. Either should work, but I always use sourcetype.

I also just noticed that your REGEX has a hyphen following it, rather than an = equals sign. Also, AFAIK, (?WinEventLog) isn't a thing. What goes in () is explained here: http://www.regular-expressions.info/modifiers.html

0 Karma
Highlighted

Re: How to configure transforms to monitor only (2) EventCodes and filter out specific group service accounts from Windows security logs?

Communicator

Wrangler2x, thank you. You are correct on the (?WinEventLog), I had used (?msi) and (?m), i copied over the wrong config. Great catch on the "="

Great advice on both accounts and I now have the events recording with just those two EventCodes.

0 Karma