Hello, community,
I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe
There is an excerpt from the log:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>
Can anyone help me create the appropriate regex I can use within the SEDCMD?
After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>
Thank you!
Hi @DanAlexander
Here's a run anywhere SPL example to get you started...
| makeresults
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>"
| rex mode=sed "s#(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)#\2\4#"
You should be able to put the final sed command into your props.conf SEDCMD. No double quotes needed. Also note, I used colon as separator instead of usual forward slash so the other forward slashes did not need escaping.
Hope that helps
Thanks for the reply @yeahnah
Should the SED look something like this under the stanza?
[WinEventLog]
SEDCMD=s/(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)/\2\4/g
Hi Dan
In props.conf on your heavy forwarder (or indexer) tier do something like this...
[WinEventLog]
SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g
As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data. This is very important, otherwise the sed syntax will be invalid. Also note, give the SEDCMD a label, which can be whatever you like.
Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype.
You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking.
Hope that helps