Getting Data In

Windows events filtering not working

marco_massari11
Communicator

Hello,

I'having some problem when filtering standard Windows events. My goal is to send the events coming from my UFs to two different indexes based on the users. If the user ends with ".adm" the index should be index1, otherwhise index2. Here is my regex for filtering https://regex101.com/r/PsEHIp/1 

I put it in inputs.conf

###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = index1
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
renderXml=false
0 Karma

marco_massari11
Communicator

Hello, thanks for the clarification. Your solution is about to send all the events that match

(?ms)EventCode=(4624|4634|4625)\s+.*\.adm

in a specific index, but what about if I want to send the not matched events to another index? 

0 Karma

marnall
Motivator

You could leave the index=index1 field in the inputs.conf stanza. That way all non-matching events would go to index1, and all matching events would go to index 2

0 Karma

marnall
Motivator

This can be accomplished with props and transforms. On your indexer machines, make the following files with stanzas: (whether through cluster bundle pushes or direct editing)

props.conf

# put this stanza in props.conf. Here your source field for the logs is assumed to be "WinEventLog://Security"
[source::WinEventLog://Security]
TRANSFORMS-anynamegoeshere=yourtransformname

# If you would like to apply the filter to a sourcetype, you can also do this:
[<yoursourcetype>]
TRANSFORMS-anynamegoeshere=yourtransformname

 

transforms.conf

# Put this in transforms.conf
[yourtransformname]
REGEX = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
FORMAT = index2
DEST_KEY = _MetaData:Index

marco_massari11
Communicator

It seems that the regex is not working, because the events are still arriving in index1, I tried different regexes but is the same

0 Karma

marnall
Motivator

Can you troubleshoot that Splunk is applying the props and transforms to the logs? 

 

E.g. what do your inputs.conf and props.conf stanzas look like for this log type, and on which Splunk machines are the inputs.conf and props.conf files placed

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...