Getting Data In

Issue with transforms.conf

marco_massari11
Communicator

Hello,

I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs:

[WinEventLog://Security]
disabled = 0
index = myindex
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634,4625,4728,4729
renderXml=false

Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this:

props.conf:

[WinEventLog:Security]
TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm


transforms.conf:

[rewrite_ad_group_management]
REGEX = EventCode=(4728|4729)
DEST_KEY = _MetaData:Index
FORMAT = index1

[rewrite_index_adm]
REGEX = Account Name:\s+.*\.adm
DEST_KEY = _MetaData:Index
FORMAT = index2

In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with 

(?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm


Thanks in advance

Labels (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

What do you mean by "there is no overlapping"?

A 4728 or 4729 event will have an Account Name field.

Splunk applies transform class from left to right and applies them all (if they match).

So your event will first match the first transform, if the event is 4728 or 4729 the index will get overwritten to index1 but then immediately Splunk will apply the second transform which will - for the *.adm accounts - overwrite the index to index2.

At least that's how it should work if the regexes are OK (I didn't check that).

View solution in original post

0 Karma

marnall
Motivator

An important thing to keep in mind with this configuration is that each transform will be applied to the events, so the first transform can change the destination index, but then the second transform can change the destination index again. If events are going to index2 but should be going to index1, it indicates that the regex for the rewrite_index_adm transform is matching on the events that should go to index1.

Check your regexes and make sure that the regex for rewrite_ad_group_management ONLY applies to logs with EventCode 4728 or 4729, while the regex for rewrite_index_adm ONLY applies to the Eventcodes 4624,4634,4625 and for admin users.

0 Karma

marco_massari11
Communicator

Hello @marnall , I already tested both regex in regex101 and there is not overlapping, this is why I do not understand why it's not working.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What do you mean by "there is no overlapping"?

A 4728 or 4729 event will have an Account Name field.

Splunk applies transform class from left to right and applies them all (if they match).

So your event will first match the first transform, if the event is 4728 or 4729 the index will get overwritten to index1 but then immediately Splunk will apply the second transform which will - for the *.adm accounts - overwrite the index to index2.

At least that's how it should work if the regexes are OK (I didn't check that).

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...