Getting Data In
Highlighted

Reducing Windows Security Events flow by filtering in parsing queue

Path Finder

In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue

and in props.conf :

[WinEventLog:Security]     
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing

but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.

0 Karma
Highlighted

Re: Reducing Windows Security Events flow by filtering in parsing queue

SplunkTrust
SplunkTrust

The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this

[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Highlighted

Re: Reducing Windows Security Events flow by filtering in parsing queue

Path Finder

Thanks. But which is the regular expression that match the string

"Nome utente: Administrator"

in source data?

I have this event (a classic Windows Security event):

"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:

Motivo:     Nome utente sconosciuto o password non valida

Nome utente:    Administrator

Dominio:        MyDomain

Tipo di accesso:    3

..."

0 Karma
Highlighted

Re: Reducing Windows Security Events flow by filtering in parsing queue

Path Finder

Is the filter applied on source data of the event?

0 Karma
Highlighted

Re: Reducing Windows Security Events flow by filtering in parsing queue

Path Finder

I Tried :

#### Windows:Security

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue

but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?

0 Karma
Highlighted

Re: Reducing Windows Security Events flow by filtering in parsing queue

Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma