- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried the following to send the included windows event to null but it does not work
I have tried the props.conf and transform.conf in system\local and apps\"appname"\local
raw event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-22T16:39:16.083750800Z'/><EventRecordID>18650882160</EventRecordID><Correlation/><Execution ProcessID='2496' ThreadID='3780'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>site-wec.site.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2023-02-22 16:39:16.081</Data><Data Name='ProcessGuid'>{4bf925e4-0d0b-63e5-4100-000000002000}</Data><Data Name='ProcessId'>2688</Data><Data Name='Image'>C:\Windows\system32\svchost.exe</Data><Data Name='TargetObject'>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\Sysmon\EventSources\site-wec.site.lan\Bookmark</Data><Data Name='Details'><BookmarkList><Bookmark Channel="Microsoft-Windows-Sysmon/Operational" RecordId="18650811531" IsCurrent="true"/></BookmarkList></Data><Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data></EventData></Event>
props.conf
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmark
transforms.conf
[sysmon13-Bookmark]
REGEX = (<EventID>13<\/EventID>).+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dford77
The config pretty much looks correct (maybe a copy paste error in props.conf). Maybe you configured it on the Splunk universal forwarder agent, which would be incorrect.
This configuration needs to live in the event parsing tier of the Splunk servers, typically a heavy forwarder or indexer, or maybe a standalone Splunk instance, depending on your set up.
props.conf
# double check the sourcetype used below is correct in the event
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmarktransforms.conf
[sysmon13-Bookmark]
REGEX = <EventID>13<\/EventID>.+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
To ensure the config is picked up a restart of the Splunk instance (hopefully you have a test environment) may be needed.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the event is multi-line then .+ may not match newlines. Try this alternative.
REGEX = (<EventID>13<\/EventID>)[\s\S]+Bookmark
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dford77
The config pretty much looks correct (maybe a copy paste error in props.conf). Maybe you configured it on the Splunk universal forwarder agent, which would be incorrect.
This configuration needs to live in the event parsing tier of the Splunk servers, typically a heavy forwarder or indexer, or maybe a standalone Splunk instance, depending on your set up.
props.conf
# double check the sourcetype used below is correct in the event
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmarktransforms.conf
[sysmon13-Bookmark]
REGEX = <EventID>13<\/EventID>.+Bookmark
DEST_KEY = queue
FORMAT = nullQueue
To ensure the config is picked up a restart of the Splunk instance (hopefully you have a test environment) may be needed.
Hope this helps
