Getting Data In

How to filter out local firewall events I don’t want Splunk to index?

Path Finder

A lot of the Windows Security auditing events we see in Splunk come from the local firewall that we're not interested in. I know there's a way to configure Splunk to filter out events based on the event content, but I can't get it to work.

Event example:

CEF:0|Microsoft|Microsoft Windows|Windows Server 2012 R2|Microsoft-Windows-Security-Auditing:5129|The Windows Filtering Platform has blocked a connection.|Medium| eventID=4482321 externalId=5157 .....

I want to filter out all the local firewall events with the next content: "The Windows Filtering Platform has blocked a connection."
How can I do it?

Our environment:
Splunk 6.5
Splunk distributed environment (2 search head, 2 Heavy forwarders, 4 Indexers)
All events are transferred to the Indexers through the heavy forwarders.

0 Karma

Communicator

Hi bugnet,

you can send unwanted events to the nullQueue. The link below shows you an example.

In your environment you can do the configuration to to this on the Heavy Forwarder or on the Indexers. As you like. I would prefer to do it on the Heavy Forwarders.

For the Regex part for example you can take the EventID as unique identifier.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad#Discard_specific_ev...

Kind regards

0 Karma

Path Finder

Hi, Not work for me.
Please notice that this is CEF events that transferred to the havy forwarders from Arcsight.

0 Karma

Legend

Hi bugnet,
to filter not wanted events you have to modify in your indexers and/or heavy forwarders props.conf and transforms.conf in this way:

props.conf

[WinEventLog:Security]
TRANSFORMS-set-windows=set_windows,set_nullqueue

Transforms.conf

[set_windows]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

[set_nullqueue]
REGEX=eventID\=4482321
DEST_KEY=queue
FORMAT=nullQueue

If you receive all your log through the heavy forwarders, you can modify files only on Hf, if instead you receive logs both directly and through HF you have to put files both on the Indexers and on the Heavy Forwarders.

You have only to verify that the filtering regex (eventID=4482321) takes all the events you want to discard, you can easily verify this in Splunk with a search like this:

index=winecentlog sourcetype=WinEventLog:Security | regex "eventID\=4482321"

make attention to the order of TRANSFORMS command in props.conf: if you change order of set_windows and set_nullqueue, your filter doesn't work!

Bye.
Giuseppe

Path Finder

Hi, Not work for me.
Please notice that this is CEF events that transferred to the havy forwarders from Arcsight.

Thanks

0 Karma

Legend

Hi bugnet,
be sure of the three steps you have to do:

  1. identify all sourcetypes to filter (they seems to be WinEventLog:Security but verify them) and insert them in stanza's definition in props.conf, if sourcetypes are more than one, create more stanzas;
  2. verify regex (as described in my answer), when you're sure put it into the REGEX line of set_nullqueue stanza in transforms.conf; if regexes are more than 1 use pipe (|) to insert all the regexes;
  3. insert props.conf and transforms.con in your indexers;
  4. verify if logs pass through heavy forwarders, if yes put props.conf and transforms.con also in your hevy forwarders;
  5. restart all the modified Splunk servers. in this way your filter should run, I used this filters many times, but you have to be sure of sourcetypes, regexes and Splunk servers.

Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!