Getting Data In

Using a universal forwarder to filter the Message Field from Windows Security Logs - Splunk 6

apchristie
Explorer

Hello,

We are trying to cut the message field out of all of the Windows Security Logs coming from our domain controllers. I have tried looking though some of the other answer posts and I have tried using this article where you put

[WinEventLog:Security] 
disabled = 0
suppress_text = 1

However I am not sure exactly what that references to remove data from the log. I know older answers said you could use a regex on the props.conf and transforms.conf file but I wasn't sure if that was still the best way for Splunk 6.

All that said to really say could anyone help with removing the Message text from Windows Security Logs. Thanks in advance!

Tags (2)
0 Karma
1 Solution

dkuk
Path Finder

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do:

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like:

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

View solution in original post

dkuk
Path Finder

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do:

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like:

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

dkuk
Path Finder

No worries glad to have helped.

0 Karma

apchristie
Explorer

Thank you. The issue was we had not put the entry in the correct inputs.conf file.

Thank you for the help it was easy to spot with that command.

0 Karma

apchristie
Explorer

The quoted text was added to the inputs.conf file. Sorry didn't say that in the original.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...