Getting Data In

Unable to drop windows XML formatted events

Suraj1
Loves-to-Learn

Dears,

 

I'm trying to filter out XML formatted events and below is sample event and REGEX which we used:

Sample Events:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-03-18T07:29:59.988001100Z'/><EventRecordID>11295805761</EventRecordID><Correlation/><Execution ProcessID='796' ThreadID='25576'/><Channel>Security</Channel><Computer>DC01.XXXX.COM</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>UCXXX\XXXDSOD02$</Data><Data Name='TargetUserName'>XXXDSOD02$</Data><Data Name='TargetDomainName'>UCXXX</Data><Data Name='TargetLogonId'>0x13443956d5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{5517AA4A-D860-6053-03FD-1FE752FC995B}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.X.X.73</Data><Data Name='IpPort'>53681</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>

 

Regex Implemented in inputs.conf file:

blacklist10 = EventCode="4624" Message="SubjectUserSid:\s+(NULL SID)"
blacklist11 = $xmlRegex="\<EventID\>4624.*\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<"
blacklist12 = EventCode="4624" WorkstationName="-"

Props.conf:

TRANSFORMS-null=setnull

Transforms.conf:

[setnull]
SOURCE_KEY = _raw
REGEX = (\<EventID\>4624.+\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<)
DEST_KEY = queue
FORMAT = nullQueue

Please suggest if you have solution for this.

Thanks,

Suraj

 

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_allow_list_and_deny_l...

  * $XmlRegex: Use this key for filtering when you render Windows Event
    log events in XML by setting the 'renderXml' setting to "true". Search
    the online documentation for "Filter data in XML format with the
    XmlRegex key" for details.

Also remember that transforms are not (typically) run on UFs. So your setnull transform is _not_ run if defined on the UF.

0 Karma

Suraj1
Loves-to-Learn

Dear Karma,

 

We tried to use the suggested option.

Can you please guide us where to update the file as we suspect on location where we writing Regex.

Currently, we have updated windows folder on deployment server and /etc/system/local/ directory on HF level.

Thanks,

Suraj

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...