Getting Data In

Reducing Windows Security Events flow by filtering in parsing queue

fab73
Path Finder

In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue

and in props.conf :

[WinEventLog:Security]     
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing

but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.

0 Karma
1 Solution

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma

fab73
Path Finder

I Tried :

#### Windows:Security

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue

but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?

0 Karma

fab73
Path Finder

Is the filter applied on source data of the event?

0 Karma

fab73
Path Finder

Thanks. But which is the regular expression that match the string

"Nome utente: Administrator"

in source data?

I have this event (a classic Windows Security event):

"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:

Motivo:     Nome utente sconosciuto o password non valida

Nome utente:    Administrator

Dominio:        MyDomain

Tipo di accesso:    3

..."

0 Karma

somesoni2
Revered Legend

The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this

[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!