Re: Windows Events filtering

only4luca · ‎10-13-2012

Hi All,

Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)
Currently I have something like this in my transforms.conf:

[eventsallowed]
... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$

this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.
Any ideas?

Thanks,
Luca

Lord_Middleton · ‎02-22-2013

Nope- trying to get it running on the main Splunk instance- sorry for the delay... been busy on other projects.

Ayn · ‎01-30-2013

If you're trying to do this on a Universal Forwarder, that won't work. Filtering can only be performed on Splunk instances that perform parsing (basically, most instances except Universal Forwarders).

Lord_Middleton · ‎01-30-2013

Did you end up figuring out what the issue was? I am working on the same task and have been bashing my head against it for a little while now...

MarioM · ‎10-14-2012

have you tried with (?msi) instead of (?m) ?

Windows Events filtering

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation