Solved: Windows Event filtering on Heavy-Forwarder

splunkcol · ‎05-03-2021

I am ingesting 100 windows machines and the events that are affecting my license consumption the most are 5156,5157,5158, 4658,4663, 4656, 4690.

I don't really know if I should filter them or if I can get out some correlation event that is valuable.

I have already filtered the first 2 according to Splunk documentation.

But my client doesn't want me to filter the EventCode if not the "Application Name"

What I see differently is that "EventCode" is pasted and "Aplication Name" has a blank space and I don't know how I should put the regular expression if I want to filter only by "Aplication name"

for example
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

props.conf
[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf
[wminull]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue

https://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad

splunkcol · ‎05-06-2021

I was able to achieve filtering like this

transforms.conf
[wminull]
REGEX=(svchost.exe)
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

splunkcol · ‎09-02-2021

I was finally able to filter with this stanza

note: omit the bracket that is missing at the beginning

splunkcol · ‎05-06-2021

I was able to achieve filtering like this

transforms.conf
[wminull]
REGEX=(svchost.exe)
DEST_KEY=queue
FORMAT=nullQueue

Windows Event filtering on Heavy-Forwarder

heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation