Hello,
I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs:
[WinEventLog://Security]
disabled = 0
index = myindex
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634,4625,4728,4729
renderXml=false
Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this:
props.conf:
[WinEventLog:Security]
TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm
transforms.conf:
[rewrite_ad_group_management]
REGEX = EventCode=(4728|4729)
DEST_KEY = _MetaData:Index
FORMAT = index1
[rewrite_index_adm]
REGEX = Account Name:\s+.*\.adm
DEST_KEY = _MetaData:Index
FORMAT = index2
In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with
(?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm
Thanks in advance
What do you mean by "there is no overlapping"?
A 4728 or 4729 event will have an Account Name field.
Splunk applies transform class from left to right and applies them all (if they match).
So your event will first match the first transform, if the event is 4728 or 4729 the index will get overwritten to index1 but then immediately Splunk will apply the second transform which will - for the *.adm accounts - overwrite the index to index2.
At least that's how it should work if the regexes are OK (I didn't check that).
An important thing to keep in mind with this configuration is that each transform will be applied to the events, so the first transform can change the destination index, but then the second transform can change the destination index again. If events are going to index2 but should be going to index1, it indicates that the regex for the rewrite_index_adm transform is matching on the events that should go to index1.
Check your regexes and make sure that the regex for rewrite_ad_group_management ONLY applies to logs with EventCode 4728 or 4729, while the regex for rewrite_index_adm ONLY applies to the Eventcodes 4624,4634,4625 and for admin users.
Hello @marnall , I already tested both regex in regex101 and there is not overlapping, this is why I do not understand why it's not working.
What do you mean by "there is no overlapping"?
A 4728 or 4729 event will have an Account Name field.
Splunk applies transform class from left to right and applies them all (if they match).
So your event will first match the first transform, if the event is 4728 or 4729 the index will get overwritten to index1 but then immediately Splunk will apply the second transform which will - for the *.adm accounts - overwrite the index to index2.
At least that's how it should work if the regexes are OK (I didn't check that).