Hi,
How can I filter out "type=Success Audit" logs off a windows event and log only the failure logs?
Currently I have this in transform.conf:
[setnull]
REGEX = (?m)^EventCode = 673
DEST_KEY = queue
FORMAT = nullQueue
It is filtering off all of 673 but now I will like to capture the failure logs of 673 but not the success logs.
Am just wondering if something like this can be done?
REGEX = (?m)^(EventCode = 673)(type = "Success Audit")
Thanks
I think something like this will work for you:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n]
I would recommend reading up on regex syntax here:
On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the nullQueue
, and the second only matches your 673 failure messages and then sets the queue to indexQueue
You may find some more helpful examples on how to do this here:
Hi,
Thanks for the suggestions.
This is working for us by capturing eventcode 578 AND Type=Audit Success :
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
Hi,
Thanks for the suggestions.
This is working for us by capturing eventcode 578 AND Type=Audit Success :
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
I had to set something up like this. They wanted a list of the top 20 failed login by userid.
I set the following up as an event type: index="prod_dc_event_logs" sourcetype="security" Type="Failure Audit" EventCode="538" OR EventCode="540" OR EventCode="680"
Then I set the following search up: eventtype="WINTEL_FailedLogin" | chart count by Logon_account | sort 20 - count
Brian
I did it like that:
[wminull]
REGEX = (?msi)^(EventCode=697|Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
So it simply filters EventCode=697 OR Type=Audit Success to the null queue
I got it mistaken.It doesn't seem to be working..
Using the REGEX I've tried to filter off based on User instead:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+User=SYSTEM[\r\n]
But it doesn't work.
Here is a sample of Windows event:
08/05/10 05:39:03 PM
LogName=Security
SourceName=Security
EventCode=673
EventType=8
Type=Success Audit
ComputerName=ServerA
User=SYSTEM
..
..
..
CategoryString=Account Logon
..
Message=Service Ticket Request:
User Name: ServerA.com
User Domain: ServerA.com
Service Name: ServerA$
..
..
Failure Code: -
...
Transited Services: -
Hi,
If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then??
Your REGEX seems to be working fine and thanks for the link.
I see Eventcode=673 without spaces.
Do your WinEventLogs contain spaces between the keys and values. For example, do you see "EventCode = 673", or "EventCode=673"?
I think something like this will work for you:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n]
I would recommend reading up on regex syntax here:
On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the nullQueue
, and the second only matches your 673 failure messages and then sets the queue to indexQueue
You may find some more helpful examples on how to do this here: