Re: Windows Events filtering

only4luca · ‎10-13-2012

Hi All,

Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)
Currently I have something like this in my transforms.conf:

[eventsallowed]
... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$

this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.
Any ideas?

Thanks,
Luca

Lord_Middleton · ‎02-22-2013

Nope- trying to get it running on the main Splunk instance- sorry for the delay... been busy on other projects.

Ayn · ‎01-30-2013

If you're trying to do this on a Universal Forwarder, that won't work. Filtering can only be performed on Splunk instances that perform parsing (basically, most instances except Universal Forwarders).

Lord_Middleton · ‎01-30-2013

Did you end up figuring out what the issue was? I am working on the same task and have been bashing my head against it for a little while now...

MarioM · ‎10-14-2012

have you tried with (?msi) instead of (?m) ?

Windows Events filtering

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Windows Events filtering

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud