- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to filter off winevent code to capture onl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
How can I filter out "type=Success Audit" logs off a windows event and log only the failure logs?
Currently I have this in transform.conf:
[setnull]
REGEX = (?m)^EventCode = 673
DEST_KEY = queue
FORMAT = nullQueue
It is filtering off all of 673 but now I will like to capture the failure logs of 673 but not the success logs.
Am just wondering if something like this can be done?
REGEX = (?m)^(EventCode = 673)(type = "Success Audit")
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think something like this will work for you:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n]
I would recommend reading up on regex syntax here:
On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the nullQueue, and the second only matches your 673 failure messages and then sets the queue to indexQueue
You may find some more helpful examples on how to do this here:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the suggestions.
This is working for us by capturing eventcode 578 AND Type=Audit Success :
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the suggestions.
This is working for us by capturing eventcode 578 AND Type=Audit Success :
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to set something up like this. They wanted a list of the top 20 failed login by userid.
I set the following up as an event type: index="prod_dc_event_logs" sourcetype="security" Type="Failure Audit" EventCode="538" OR EventCode="540" OR EventCode="680"
Then I set the following search up: eventtype="WINTEL_FailedLogin" | chart count by Logon_account | sort 20 - count
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did it like that:
[wminull]
REGEX = (?msi)^(EventCode=697|Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
So it simply filters EventCode=697 OR Type=Audit Success to the null queue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it mistaken.It doesn't seem to be working..
Using the REGEX I've tried to filter off based on User instead:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+User=SYSTEM[\r\n]
But it doesn't work.
Here is a sample of Windows event:
08/05/10 05:39:03 PM
LogName=Security
SourceName=Security
EventCode=673
EventType=8
Type=Success Audit
ComputerName=ServerA
User=SYSTEM
..
..
..
CategoryString=Account Logon
..
Message=Service Ticket Request:
User Name: ServerA.com
User Domain: ServerA.com
Service Name: ServerA$
..
..
Failure Code: -
...
Transited Services: -
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then??
Your REGEX seems to be working fine and thanks for the link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see Eventcode=673 without spaces.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do your WinEventLogs contain spaces between the keys and values. For example, do you see "EventCode = 673", or "EventCode=673"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think something like this will work for you:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n]
I would recommend reading up on regex syntax here:
On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the nullQueue, and the second only matches your 673 failure messages and then sets the queue to indexQueue
You may find some more helpful examples on how to do this here:
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
