Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SEDCMD Assistance Please

pirsa
Explorer
‎11-04-2021 04:16 PM

Howdy All,

I am looking for some assistance with a SEDCMD.  I am trying to clean up some XmlWineventlog:security events, particularly the 4688 Event, where we are capturing command line for processes running.  We are finding that this is causing us some ingestion woes at the moment, with some _raw event sizes being over 5kb each.  So we are trying to clean up  some of the Normal Noise in this <data> Name='CommandLine'> ...... </data> for certain processes.

These are currently being collected by the Windows TA on Universal Forwarders on each desktop, so will be added to the local/props.conf

The first one I have looked at, is something our Citrix VPN client does, which is spawn some powershell. the event is rather large, so looking to strip out the content and replace it with some meaningful text.  I have confirmed the regex works, I am just wanting advise on the actual SEDCMD.

Does this appear correct?

 

 

SEDCMD-cleanxmlcitrixcommandprocess = s/("powershell\.exe" "-Command\s{6})((\$version='1\.0\.0\.0'\s\$application='CitrixVPN')[\S\s\r\n]+("))/gm /Citrix Command process/

 

 

And in the props.conf file, should this be under:

[source::WinEventLog:Security]

or

[source::XmlWinEventLog:Security] - which is the current sourcetype of the event when searching on the indexer.

 

Any assistance would be greatly appreciated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2021 05:12 AM

It looks like the SEDCMD is in the wrong format.  Try this:

SEDCMD-cleanxmlcitrixcommandprocess = s/("powershell\.exe" "-Command\s{6})((\$version='1\.0\.0\.0'\s\$application='CitrixVPN')[\S\s\r\n]+("))/Citrix Command process/gm

BTW, this setting should be on the first parsing Splunk instance (HF or indexer). 

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...