Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Whitelist Query

ryanadamski
Loves-to-Learn Lots

Hello,

I am ingesting file auditing logs to monitor changes to certain files. I am monitoring events 4663 and 4656 which have an Object Name that lists the file path of the accessed file. We are only concerned about .pdf, .doc, and .docx files and would like to filter out any other file type.

Currently I have the below whitelist in place but I am getting stuck trying to figure out how to only ingest certain file types (.pdf, .doc, and .docx) under the Object Name field within the log. 

whitelist = 4663,4656

Here is a log 4663 example (I bolded the part we want to filter): 

 An attempt was made to access an object.

Subject:
Security ID: Test User
Account Name: Test User
Account Domain: Test
Logon ID: 12345567

Object:
Object Server: Security
Object Type: File
Object Name: D:\Data\Test\Test.pdf
Handle ID: 0x0552

Any help would be great. Thank you.

Labels (3)
0 Karma

ericjorgensenjr
Path Finder

You can send events that don't match one of those document types to the nullQueue using props/transforms like these:

props.conf

[<name of relevant sourcetype>]
TRANSFORMS-nullobject=nullobject

transforms.conf

[nullobject]
REGEX=Object\sName:\s+[^\.]+\.(?:(?i)(?:pdf)|(?:doc)|(?:docx))$
DEST_KEY=queue
FORMAT=nullQueue

 

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!