Getting Data In

Reducing Windows Security Events flow by filtering in parsing queue

fab73
Path Finder

In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue

and in props.conf :

[WinEventLog:Security]     
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing

but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.

0 Karma
1 Solution

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

0 Karma

fab73
Path Finder

I Tried :

#### Windows:Security

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue

but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?

0 Karma

fab73
Path Finder

Is the filter applied on source data of the event?

0 Karma

fab73
Path Finder

Thanks. But which is the regular expression that match the string

"Nome utente: Administrator"

in source data?

I have this event (a classic Windows Security event):

"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:

Motivo:     Nome utente sconosciuto o password non valida

Nome utente:    Administrator

Dominio:        MyDomain

Tipo di accesso:    3

..."

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this

[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...