Solved: How to filter out all WinEventLog:Security message...

Shark2112 · ‎02-19-2016

Hey guys.

I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for deleted file audit).

I was trying 2 ways:

1st: in inputs.conf

[WinEventLog://Security]
whitelist1 = "delete"
disabled = 0

2nd:
props.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = delete
DEST_KEY = queue
FORMAT = indexQueue

transforms.conf

[source::WinEventLog:Security] or [source::WinEventLog://Security]  (with // like in inputs.conf)
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing

Both of this doesn't work and i take all events.

What is the difference between these two approaches and what did I do wrong?

Jeremiah · ‎02-19-2016

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

View solution in original post

Jeremiah · ‎02-19-2016

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

Shark2112 · ‎02-20-2016

Thank you for feedback! But if i need regex (because my fieldsname in russian and splunk cant read it), what can i do?

Jeremiah · ‎02-20-2016

Eesh, good question. You can still try specifying the key and see if Splunk can match it. If not, you are probably better off filtering on the indexer, where you do not need to specify the key. On the indexer, use the following:

transforms.conf

 [setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = delete
 DEST_KEY = queue
 FORMAT = indexQueue

props.conf:

[WinEventLog:Security]
TRANSFORMS-set = setnull, setparsing

Shark2112 · ‎02-20-2016

i'll try now
But if i need more than one filter, what must i do?

Shark2112 · ‎02-20-2016

nvm, all's work fine, thx for help!

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation