I'm running Splunk 4.2.5 server on CentOS. I've also installed SplunkForwarder 4.3 on a Win2k3 server, collecting Application, Security, and System events.
On the server, I have defined
props.conf
[WinEventLog:Security]
TRANSFORMS-set=dropevents
transforms.conf
[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue
I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?
Your regex is incorrect.
It is Type=Success Audit, not Type=Audit Success (this happens with Windows 2008 which have different Event Codes - in which case your Event Codes are incorrect) as you wrote.
Something like this should work:
[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^Type=Success Audit
DEST_KEY = queue
FORMAT = nullQueue
Your regex is incorrect.
It is Type=Success Audit, not Type=Audit Success (this happens with Windows 2008 which have different Event Codes - in which case your Event Codes are incorrect) as you wrote.
Something like this should work:
[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^Type=Success Audit
DEST_KEY = queue
FORMAT = nullQueue
Example for Windows 2008 WinSecurity events:
[dropevents]
REGEX = (?msi)^EventCode=(4776|4648|4624|4634).*^Keywords=Audit\sSuccess
DEST_KEY = queue
FORMAT = nullQueue
You can also use the following site to verify the regex:
Thanks for the correction - that was the solution. I guess I need remedial comprehension training, since I was staring at the answer in the logs..