Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter out local firewall events I don’t want Splunk to index?

bugnet
Path Finder
‎12-08-2016 02:35 AM

A lot of the Windows Security auditing events we see in Splunk come from the local firewall that we're not interested in. I know there's a way to configure Splunk to filter out events based on the event content, but I can't get it to work.

Event example: 

CEF:0|Microsoft|Microsoft Windows|Windows Server 2012 R2|Microsoft-Windows-Security-Auditing:5129|The Windows Filtering Platform has blocked a connection.|Medium| eventID=4482321 externalId=5157 .....

I want to filter out all the local firewall events with the next content: "The Windows Filtering Platform has blocked a connection."
How can I do it?

Our environment:
Splunk 6.5
Splunk distributed environment (2 search head, 2 Heavy forwarders, 4 Indexers)
All events are transferred to the Indexers through the heavy forwarders.

0 Karma
Reply

TStrauch
Communicator
‎12-08-2016 02:58 AM

Hi bugnet,

you can send unwanted events to the nullQueue. The link below shows you an example.

In your environment you can do the configuration to to this on the Heavy Forwarder or on the Indexers. As you like. I would prefer to do it on the Heavy Forwarders.

For the Regex part for example you can take the EventID as unique identifier.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad#Discard_specific_ev...

Kind regards

0 Karma
Reply

bugnet
Path Finder
‎12-08-2016 06:43 AM

Hi, Not work for me.
Please notice that this is CEF events that transferred to the havy forwarders from Arcsight.

0 Karma
Reply

gcusello
Esteemed Legend
‎12-08-2016 02:53 AM

Hi bugnet,
to filter not wanted events you have to modify in your indexers and/or heavy forwarders props.conf and transforms.conf in this way:

props.conf

[WinEventLog:Security]
TRANSFORMS-set-windows=set_windows,set_nullqueue

Transforms.conf

[set_windows]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

[set_nullqueue]
REGEX=eventID\=4482321
DEST_KEY=queue
FORMAT=nullQueue

If you receive all your log through the heavy forwarders, you can modify files only on Hf, if instead you receive logs both directly and through HF you have to put files both on the Indexers and on the Heavy Forwarders.

You have only to verify that the filtering regex (eventID=4482321) takes all the events you want to discard, you can easily verify this in Splunk with a search like this:

index=winecentlog sourcetype=WinEventLog:Security | regex "eventID\=4482321"

make attention to the order of TRANSFORMS command in props.conf: if you change order of set_windows and set_nullqueue, your filter doesn't work!

Bye.
Giuseppe

Reply

bugnet
Path Finder
‎12-08-2016 06:43 AM

Hi, Not work for me.
Please notice that this is CEF events that transferred to the havy forwarders from Arcsight.

Thanks

0 Karma
Reply

gcusello
Esteemed Legend
‎12-08-2016 08:53 AM

Hi bugnet,
be sure of the three steps you have to do:

  1. identify all sourcetypes to filter (they seems to be WinEventLog:Security but verify them) and insert them in stanza's definition in props.conf, if sourcetypes are more than one, create more stanzas;
  2. verify regex (as described in my answer), when you're sure put it into the REGEX line of set_nullqueue stanza in transforms.conf; if regexes are more than 1 use pipe (|) to insert all the regexes;
  3. insert props.conf and transforms.con in your indexers;
  4. verify if logs pass through heavy forwarders, if yes put props.conf and transforms.con also in your hevy forwarders;
  5. restart all the modified Splunk servers. in this way your filter should run, I used this filters many times, but you have to be sure of sourcetypes, regexes and Splunk servers.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...