Getting Data In

How to filter inputs.conf whitelist content for Windows event logs?

Aexyn
Engager

Hello,

I configured an audit on a folder on Windows. Now I want to send it to my Splunk Server, but there are many file audits configured by the system itself (file access in System32...) and I'm not interested by these logs.

So I need more than the eventID filter on the whitelist option of inputs.conf

How can I do that, for example by checking the content of the log and only send it if it contains C:\MyFolder?

Thank's

0 Karma

ryanoconnor
Builder

You'll want to do this with a props.conf and transforms.conf. Things get slightly more complex if you want to filter everything and only include some things (such as C:\MyFolder). You'll also probably add a lot of additional processing in Splunk that isn't necessary. If it's the case that you only want to audit a specific folder, you might want to configure that auditing specifically inside the OS.

If you want to just filter out some folders (such as System32), you could setup a props.conf and transforms.conf like the following. You can also duplicate these for additional folders that you want to filter.

props.conf

 [WinEventLog:Security]
 TRANSFORMS-FilterEvent = FilterEventSystem32

transforms.conf

[FilterEventSystem32]
REGEX = <REGEX_THAT_MATCHES_HERE>
DEST_KEY = queue
FORMAT = nullQueue

If you can send a sample event you'd like to filter out I can be more specific with a Regex.

Aexyn
Engager

Hi,

Finally, custom view configuration is rather limited and I'm not even sure I can do what I want, ie filtering ObjectName field.
So I have just followed your advice on Splunk with transforms.conf and props.conf configuration.

Even if I thought that was the "dirty way", after filtering "Object Name C:*" (even C:\Windows should be almost perfect) I don't receive any logs from the chatty Windows.

If you want to do the same, honestly, don't lose your time searching weird Windows configuration and just filter any chatty folder.

It is finally quite easy and powerful.

Thank's for all

0 Karma

ryanoconnor
Builder

That's awesome news I'm glad you got it working! Let me know if you have any other questions around this

0 Karma

Aexyn
Engager

Thank's for your reply.
Actually, my idea was to include only the events which concern this folder, with no restriction about the type of events (read, modification attempt, deletion ...).

There is no specific format for stored files, the only condition is the path "C:\Myfolder*" (or C:\Myfolder*).
Is it possible to exclude a drive?
This way I could just set my folder as a shared network drive (and exclude any other drive).

You're right about the OS configuration, I have started configuring Windows logs with the Advanced XML Filtering, it is a bit tedious but this should work.

About that, do you know if it possible to forward Windows logs of a customised View, which filters logs, in the same way than ordinary logs (I mean [Winevent://MyView] in inputs.conf for example).

0 Karma

ryanoconnor
Builder

I believe you should be able to use a custom view. Try this and see if it's what you're looking for?

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata#Use_the_.22Full_Na...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...