Getting Data In

Using a universal forwarder to filter the Message Field from Windows Security Logs - Splunk 6

apchristie
Explorer

Hello,

We are trying to cut the message field out of all of the Windows Security Logs coming from our domain controllers. I have tried looking though some of the other answer posts and I have tried using this article where you put

[WinEventLog:Security] 
disabled = 0
suppress_text = 1

However I am not sure exactly what that references to remove data from the log. I know older answers said you could use a regex on the props.conf and transforms.conf file but I wasn't sure if that was still the best way for Splunk 6.

All that said to really say could anyone help with removing the Message text from Windows Security Logs. Thanks in advance!

Tags (2)
0 Karma
1 Solution

dkuk
Path Finder

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do:

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like:

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

View solution in original post

dkuk
Path Finder

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do:

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like:

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

dkuk
Path Finder

No worries glad to have helped.

0 Karma

apchristie
Explorer

Thank you. The issue was we had not put the entry in the correct inputs.conf file.

Thank you for the help it was easy to spot with that command.

0 Karma

apchristie
Explorer

The quoted text was added to the inputs.conf file. Sorry didn't say that in the original.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...