WEF .conf files

Gil · ‎07-21-2024

Hi,

in our organization we use wef to monitor windows.

we configure an inputs.conf for monitoring from the Event viewer.

the powershell events (mainly event code 800 and 4103) logs received too long and we want to cut duplicated data.

we tried various test with props.conf and transforms.conf and nothing works, here some of our stanzas we tried in props.conf

[source::"XmlWinEventLog:Windows PowerShell"]
SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g
SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g


[source::XmlWinEventLog:Microsoft-Windows-PowerShell/Operational]
SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g
SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g


[WinEventLog://Microsoft-Windows-PowerShell/Operational]
SEDCMD-CLean_powershell_800 = s/s/\n\s+Context\sInformation\:.*([\r\n]+.*){0,500}////g
SEDCMD-CLean_powershell_4103 = s/s/\s+Context\:.*([\r\n]+.*){0,500}////g

also i wanted to make sure the inputs.conf stanza for powershell is correctly when i used :

renderXml = true

over:

wec_event_format = rendered_event

richgalloway · ‎07-21-2024

I see a few issues, but don't know that fixing them will solve the problem.

1. All of the sed commands are malformed. There should be a single "s/" at the beginning and only 2 slashes before the final 'g'.

2: I'm not sure quotation marks are allowed in a stanza name.

3. "WinEventLog://" is a prefix for inputs.conf stanzas, not for props.conf.

4. Have you tried using a sourcetype name in the props.conf stanza rather than a source name?

It would help to see some sample events and to know which parts of the events you wish to remove.

If you want someone to confirm the inputs.conf stanza then you'll need to show the inputs.conf stanza.

---
If this reply helps you, Karma would be appreciated.

Gil · ‎07-23-2024

your suggestion didn't help unfortunately ,
this is an example for a log, I need to cut all the data after "Context Information" (include)

attachment is added.

richgalloway · ‎07-23-2024

Which of the 4 suggestions did you try? Did none of them help?

It would help to have the event in text rather than as an image since it's impossible to put an image in regex101.com for testing. Try this untested prop

[mysourcetype]
SEDCMD-noContext = s/Context Information:.*/Context Information:/g

---
If this reply helps you, Karma would be appreciated.

Gil · ‎07-23-2024

we found something else that helped us.

but thanks for your help!

PickleRick · ‎07-23-2024

It would be nice if you wrote what solved your problem.

My suspicion is that either you had your setting on a wrong component or you referenced wrong source (with WEF-forwarded events the addon does rewrite of the source from the ForwardedEvents eventlog to the original eventlog the event was forwarded fron)

Gil · ‎07-23-2024

as mention we drop one of the "s/" and also the "g" at the end:

SEDCMD-CLean_powershell_800 = s/\n\s+Context Information\:.*([\r\n]+.*){0,500}//
SEDCMD-CLean_powershell_4103 = s/\s+Context\:.*([\r\n]+.*){0,500}//

richgalloway · ‎07-24-2024

So you didn't "find something else that helped". You used my answer.

---
If this reply helps you, Karma would be appreciated.

Gil · ‎07-25-2024

you didn't say to drop the "g" at the end.

of course your suggestion helped but not fully.

WEF .conf files

inputs.conf

props.conf

source

sourcetype

transforms.conf

Windows

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

WEF .conf files