Getting Data In
Highlighted

WinEventLog:Security filter

Explorer

I'm running Splunk 4.2.5 server on CentOS. I've also installed SplunkForwarder 4.3 on a Win2k3 server, collecting Application, Security, and System events.

On the server, I have defined

props.conf
[WinEventLog:Security]
TRANSFORMS-set=dropevents

transforms.conf
[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?

Highlighted

Re: WinEventLog:Security filter

Communicator

Your regex is incorrect.

It is Type=Success Audit, not Type=Audit Success (this happens with Windows 2008 which have different Event Codes - in which case your Event Codes are incorrect) as you wrote.
Something like this should work:

[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^Type=Success Audit
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Highlighted

Re: WinEventLog:Security filter

Explorer

Thanks for the correction - that was the solution. I guess I need remedial comprehension training, since I was staring at the answer in the logs..

0 Karma
Highlighted

Re: WinEventLog:Security filter

Splunk Employee
Splunk Employee

Example for Windows 2008 WinSecurity events:

[dropevents]
REGEX = (?msi)^EventCode=(4776|4648|4624|4634).*^Keywords=Audit\sSuccess
DEST_KEY = queue
FORMAT = nullQueue

You can also use the following site to verify the regex:

http://gskinner.com/RegExr/?31r9a

0 Karma