Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Reducing Windows Security Events flow by filtering in parsing queue

fab73
Path Finder
‎02-01-2017 05:54 AM

In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue

and in props.conf :

[WinEventLog:Security]     
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing

but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fab73
Path Finder
‎02-02-2017 02:33 AM

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fab73
Path Finder
‎02-02-2017 02:33 AM

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎02-02-2017 01:41 AM

I Tried :

#### Windows:Security

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue

but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎02-02-2017 01:23 AM

Is the filter applied on source data of the event?

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎02-02-2017 01:16 AM

Thanks. But which is the regular expression that match the string

"Nome utente: Administrator"

in source data?

I have this event (a classic Windows Security event):

"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:

Motivo:     Nome utente sconosciuto o password non valida

Nome utente:    Administrator

Dominio:        MyDomain

Tipo di accesso:    3

..."

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-01-2017 08:47 AM

The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this

[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...