Getting Data In

How would I filter WinEventLog inputs on custom text?

mcrawford44
Communicator

Using the following inputs.conf on a Splunk forwarder;

 [WinEventLog://Security]
    index = wineventlog_test
    start_from = oldest
    current_only = 1
    evt_resolve_ad_obj = 1
    checkpointInterval = 5
    # Windows 7 = 4688, 489
    # Windows XP = 592, 593
    whitelist1 = EventCode="4688|4689|592|593"

This will pull the 4 event codes just fine. However, I am trying to filter any events created by the "NT AUTHORITY\SYSTEM" and "SYSTEM" accounts.
The documentation on the WinEventCode input points to using a limited set of specific keys to filter only, and none of them have worked. For example;

blacklist1 = User="NT\sAUTHORITY\\SYSTEM|SYSTEM"

OR

blacklist1 = Sid="S\-1\-5\-18"

Here is the documentation link; http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/MonitorWindowsdata#Create_advanced_filters_wi...

We are attempting to index USER process creation and closures. These accounts do not represent users, so we do not want to index them. These service account events are 90% of the indexed data. So filtering these out will significantly reduce traffic and license usage.

Is there a way to simply filter the raw input? Is there a way to configure the forwarder to ignore EventLog records that contain a RegEx match at all?

1 Solution

Richfez
SplunkTrust
SplunkTrust

The nullQueue may be a way to handle this situation. I'm by no means an expert, but I used it to remove users that end in dollar signs. I'm sure it would be easy to adapt this to your needs.

In my props.conf,

[source::WinEventLog:Security]
TRANSFORMS-remove-unwanted-users = unwanted-users-to-nullQ

In transforms.conf:

[unwanted-users-to-nullQ]
REGEX = Account\s{1}Name:.*\$
DEST_KEY = queue
FORMAT = nullQueue

Now, keep in mind that the way I'm doing it ALL items from source::WinEventLog:Security will be filtered like this. That may or may not be what you want, but it is what I've got set up.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

The nullQueue may be a way to handle this situation. I'm by no means an expert, but I used it to remove users that end in dollar signs. I'm sure it would be easy to adapt this to your needs.

In my props.conf,

[source::WinEventLog:Security]
TRANSFORMS-remove-unwanted-users = unwanted-users-to-nullQ

In transforms.conf:

[unwanted-users-to-nullQ]
REGEX = Account\s{1}Name:.*\$
DEST_KEY = queue
FORMAT = nullQueue

Now, keep in mind that the way I'm doing it ALL items from source::WinEventLog:Security will be filtered like this. That may or may not be what you want, but it is what I've got set up.

gerald_contrera
Path Finder

Hi, I know this was long ago, but it's the above transform regex for users ending in $

?

I have the same problem as the original poster. There is no clear answers anywhere to what I believe would be a very common problem.
I too have tried regex in inputs.conf with no luck. I want to try the props and transforms on the indexers but I want to be sure I'm doing the right thing.

I don't want to index specifically event codes 4624 and 4634 for users that end in $
Eg. P62134$

Thankyou if you or anyone is out there to clarify

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Have you tried this with just "blacklist" instead of "blacklist1"? I am not 100% sure, but I believe your first blacklist/whitelist entry in the list cannot have a sequence number.
So, this should work:

blacklist = User=<yourRegEx1>
blacklist1 = User=<yourRegEx2>
blacklist2 = User=<yourRegEx3> 

while this likely will not work:

blacklist1 = User=<yourRegEx1>
blacklist2 = User=<yourRegEx2>
blacklist3 = User=<yourRegEx3> 

I further believe that sequence numbers cannot have gaps in them, but you don't have that anyways.

Edit: Now I see your whitelist1 = appears to work, so there goes this theory. 😉

0 Karma

mcrawford44
Communicator

I still tested your theory, however it did not make a difference. Thank you for your assistance though!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>