Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to send noisy windows event to null?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dford77
Engager
02-22-2023
09:41 AM
I have tried the following to send the included windows event to null but it does not work
I have tried the props.conf and transform.conf in system\local and apps\"appname"\local
raw event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-22T16:39:16.083750800Z'/><EventRecordID>18650882160</EventRecordID><Correlation/><Execution ProcessID='2496' ThreadID='3780'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>site-wec.site.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2023-02-22 16:39:16.081</Data><Data Name='ProcessGuid'>{4bf925e4-0d0b-63e5-4100-000000002000}</Data><Data Name='ProcessId'>2688</Data><Data Name='Image'>C:\Windows\system32\svchost.exe</Data><Data Name='TargetObject'>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\Sysmon\EventSources\site-wec.site.lan\Bookmark</Data><Data Name='Details'><BookmarkList><Bookmark Channel="Microsoft-Windows-Sysmon/Operational" RecordId="18650811531" IsCurrent="true"/></BookmarkList></Data><Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data></EventData></Event>
props.conf
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmark
transforms.conf
[sysmon13-Bookmark]
REGEX = (<EventID>13<\/EventID>).+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
02-22-2023
12:09 PM
Hi @dford77
The config pretty much looks correct (maybe a copy paste error in props.conf). Maybe you configured it on the Splunk universal forwarder agent, which would be incorrect.
This configuration needs to live in the event parsing tier of the Splunk servers, typically a heavy forwarder or indexer, or maybe a standalone Splunk instance, depending on your set up.
props.conf
# double check the sourcetype used below is correct in the event
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmarktransforms.conf
[sysmon13-Bookmark]
REGEX = <EventID>13<\/EventID>.+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
To ensure the config is picked up a restart of the Splunk instance (hopefully you have a test environment) may be needed.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
02-22-2023
12:17 PM
If the event is multi-line then .+ may not match newlines. Try this alternative.
REGEX = (<EventID>13<\/EventID>)[\s\S]+Bookmark
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
02-22-2023
12:09 PM
Hi @dford77
The config pretty much looks correct (maybe a copy paste error in props.conf). Maybe you configured it on the Splunk universal forwarder agent, which would be incorrect.
This configuration needs to live in the event parsing tier of the Splunk servers, typically a heavy forwarder or indexer, or maybe a standalone Splunk instance, depending on your set up.
props.conf
# double check the sourcetype used below is correct in the event
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmarktransforms.conf
[sysmon13-Bookmark]
REGEX = <EventID>13<\/EventID>.+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
To ensure the config is picked up a restart of the Splunk instance (hopefully you have a test environment) may be needed.
Hope this helps
Get Updates on the Splunk Community!
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Splunk ITSI & Correlated Network Visibility
Now On Demand
Take Your Network Visibility to the Next Level
In today’s complex IT environments, ...
