WinEventLog Security Regex

barne_dn · ‎10-10-2012

Hi Everyone,

I have windows security event filter setup and working on my indexer. However I want to filter on three variables.

The logic is as follows: Keep all events, except the ones that match the regex.

My current filter looks like this:

[dropevents]
REGEX = (?msi)^EventCode=(123|678|910).*^(User=userxxx)
DEST_KEY = queue
FORMAT = nullQueue

I want to add one more variable to the filter (Type=Success Audit).

Also, in the future I may want to add a hostname to this regex, so that it only filters out these events on a certain host, so once host name is added it would be filtering on 4 variables.

Thanks!

BP9906 · ‎11-05-2012

This works like a charm.

/opt/splunk/etc/system/local/transform.conf

#Exclude Sample User Authentication Events
[nullFilter-user1]
REGEX=(?ism)EventCode\s*=\s*(123|456|789).*User\s*=\s*user
DEST_KEY=queue
FORMAT=nullQueue

/opt/splunk/etc/system/local/props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullQ=nullFilter-user1

I do this to filter out all sorts of things. 🙂
Enjoy.

barne_dn · ‎10-16-2012

What would be syntax for adding to the regex. I've only seen examples of addting two variables to a regex, not three or four.

dturnbull_splun · ‎10-12-2012

Do you need to filter these independently or dependently? i.e. must we match the eventcode, type and user and host? or is it some combination, i.e eventcode+host or eventcode+user? for the former, just add to your regex, for the later, add multiple stanzas.

WinEventLog Security Regex

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)