Getting Data In

SEDCMD with multiline mode doesnt work

noveix
Explorer

Trying to discard part of an event using SEDCMD doesnt seem to work. I was expecting everything between 'Subject' .. and 'Collapse' strings be discarded, however its still appears in the index. I have ingested the logs multiple time using the correct sourcetype (windows:sec_event) ... still no luck !!

Any pointers would be appreciated.

props.conf entry

[windows:sec_event]
MAX_TIMESTAMP_LOOKAHEAD = 50
NO_BINARY_CHECK = 1
pulldown_type = 1
SEDCMD-filter = s/(?im)^Subject:.+Collapse$//g

Log event :

03/13/2014 03:03:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=test123.test.com.au
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=171516223
Keywords=Audit Success
Message=A computer account was changed.

Subject:
Security ID: NT AUTHORITY\ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3e6

Computer Account That Was Changed:
Security ID: TEST\test$
Account Name: test$
Account Domain: TEST

Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 13/03/2014 3:03:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -

Additional Information:
Privileges: -
Collapse

Tags (2)
0 Karma

noveix
Explorer

Got this working .. had to use both REGEX modifiers .. 'm' and 's' flags as below

SEDCMD-filter = s/(?ims)^Subject:.+Collapse$//g

noveix
Explorer

Should I be logging this as a bug, I have tested the REGEX several times and its verified OK ..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...