Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter out all WinEventLog:Security messages except those containing the word "delete"?

Shark2112
Communicator
‎02-19-2016 08:06 AM

Hey guys.

I want to exclude all messages from WinEventLog:Security except those containing the word "delete"(for deleted file audit).

I was trying 2 ways:

1st: in inputs.conf

[WinEventLog://Security]
whitelist1 = "delete"
disabled = 0

2nd:
props.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = delete
DEST_KEY = queue
FORMAT = indexQueue

transforms.conf

[source::WinEventLog:Security] or [source::WinEventLog://Security]  (with // like in inputs.conf)
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing

Both of this doesn't work and i take all events.

What is the difference between these two approaches and what did I do wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎02-19-2016 09:05 AM

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎02-19-2016 09:05 AM

I think you have a syntax error in your inputs.conf file. You need to specify the key that contains the string "delete". In the inputs.conf example from the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

whitelist = EventCode=%^200$% User=%jrodman%

You'll need to look at your specific event to identify the key. For example if the key was "Action":

whitelist = Action=%delete%

Your second method of using a props/transforms routing rule is also not correct. You have the configurations swapped between the two files. But in general you would use this method of filtering on your indexers or heavy forwarders, not your universal forwarders. Try correcting your whitelist and see if that works for you.

Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-20-2016 02:40 AM

Thank you for feedback! But if i need regex (because my fieldsname in russian and splunk cant read it), what can i do?

0 Karma
Reply
Solved! Jump to solution

Jeremiah
Motivator
‎02-20-2016 09:11 AM

Eesh, good question. You can still try specifying the key and see if Splunk can match it. If not, you are probably better off filtering on the indexer, where you do not need to specify the key. On the indexer, use the following:

transforms.conf

 [setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = delete
 DEST_KEY = queue
 FORMAT = indexQueue

props.conf:

[WinEventLog:Security]
TRANSFORMS-set = setnull, setparsing
Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-20-2016 09:36 AM

i'll try now
But if i need more than one filter, what must i do?

0 Karma
Reply
Solved! Jump to solution

Shark2112
Communicator
‎02-20-2016 09:51 AM

nvm, all's work fine, thx for help!

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...