In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue
[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue
and in props.conf :
[WinEventLog:Security]
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing
but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.
It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf
[setnull]
[secsetparsing]
[setnull2]
[secsetparsing2]
It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf
[setnull]
[secsetparsing]
[setnull2]
[secsetparsing2]
I Tried :
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue
[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue
but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?
Is the filter applied on source data of the event?
Thanks. But which is the regular expression that match the string
"Nome utente: Administrator"
in source data?
I have this event (a classic Windows Security event):
"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:
Motivo: Nome utente sconosciuto o password non valida
Nome utente: Administrator
Dominio: MyDomain
Tipo di accesso: 3
..."
The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this
[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue