Trying to discard part of an event using SEDCMD doesnt seem to work. I was expecting everything between 'Subject' .. and 'Collapse' strings be discarded, however its still appears in the index. I have ingested the logs multiple time using the correct sourcetype (windows:sec_event) ... still no luck !!
Any pointers would be appreciated.
props.conf entry
[windows:sec_event]
MAX_TIMESTAMP_LOOKAHEAD = 50
NO_BINARY_CHECK = 1
pulldown_type = 1
SEDCMD-filter = s/(?im)^Subject:.+Collapse$//g
Log event :
03/13/2014 03:03:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=test123.test.com.au
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=171516223
Keywords=Audit Success
Message=A computer account was changed.
Subject:
Security ID: NT AUTHORITY\ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3e6
Computer Account That Was Changed:
Security ID: TEST\test$
Account Name: test$
Account Domain: TEST
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 13/03/2014 3:03:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
Additional Information:
Privileges: -
Collapse
Got this working .. had to use both REGEX modifiers .. 'm' and 's' flags as below
SEDCMD-filter = s/(?ims)^Subject:.+Collapse$//g
Should I be logging this as a bug, I have tested the REGEX several times and its verified OK ..