A lot of the Windows Security auditing events we see in Splunk come from the local firewall that we're not interested in. I know there's a way to configure Splunk to filter out events based on the event content, but I can't get it to work.
CEF:0|Microsoft|Microsoft Windows|Windows Server 2012 R2|Microsoft-Windows-Security-Auditing:5129|The Windows Filtering Platform has blocked a connection.|Medium| eventID=4482321 externalId=5157 .....
I want to filter out all the local firewall events with the next content: "The Windows Filtering Platform has blocked a connection."
How can I do it?
Splunk distributed environment (2 search head, 2 Heavy forwarders, 4 Indexers)
All events are transferred to the Indexers through the heavy forwarders.
you can send unwanted events to the nullQueue. The link below shows you an example.
In your environment you can do the configuration to to this on the Heavy Forwarder or on the Indexers. As you like. I would prefer to do it on the Heavy Forwarders.
For the Regex part for example you can take the EventID as unique identifier.
to filter not wanted events you have to modify in your indexers and/or heavy forwarders props.conf and transforms.conf in this way:
[set_windows] REGEX=. DEST_KEY = queue FORMAT = indexQueue [set_nullqueue] REGEX=eventID\=4482321 DEST_KEY=queue FORMAT=nullQueue
If you receive all your log through the heavy forwarders, you can modify files only on Hf, if instead you receive logs both directly and through HF you have to put files both on the Indexers and on the Heavy Forwarders.
You have only to verify that the filtering regex (eventID=4482321) takes all the events you want to discard, you can easily verify this in Splunk with a search like this:
index=winecentlog sourcetype=WinEventLog:Security | regex "eventID\=4482321"
make attention to the order of TRANSFORMS command in props.conf: if you change order of set_windows and set_nullqueue, your filter doesn't work!
be sure of the three steps you have to do: