Solved: How to filter out all WinEventLog:Security message...

Shark2112 · ‎02-19-2016

Hey guys.

I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for deleted file audit).

I was trying 2 ways:

1st: in inputs.conf

[WinEventLog://Security]
whitelist1 = "delete"
disabled = 0

2nd:
props.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = delete
DEST_KEY = queue
FORMAT = indexQueue

transforms.conf

[source::WinEventLog:Security] or [source::WinEventLog://Security]  (with // like in inputs.conf)
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing

Both of this doesn't work and i take all events.

What is the difference between these two approaches and what did I do wrong?

Jeremiah · ‎02-19-2016

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

View solution in original post

Jeremiah · ‎02-19-2016

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

Shark2112 · ‎02-20-2016

Thank you for feedback! But if i need regex (because my fieldsname in russian and splunk cant read it), what can i do?

Jeremiah · ‎02-20-2016

Eesh, good question. You can still try specifying the key and see if Splunk can match it. If not, you are probably better off filtering on the indexer, where you do not need to specify the key. On the indexer, use the following:

transforms.conf

 [setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = delete
 DEST_KEY = queue
 FORMAT = indexQueue

props.conf:

[WinEventLog:Security]
TRANSFORMS-set = setnull, setparsing

Shark2112 · ‎02-20-2016

i'll try now
But if i need more than one filter, what must i do?

Shark2112 · ‎02-20-2016

nvm, all's work fine, thx for help!

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2