Getting Data In

building a search on windows event security logs

New Member

I'm trying to build a search on windows event logs, that will exclude activity by the real time antivirus scanner and return a list of users in order of amount of data accessed... Not sure if this is possible. Below is the line I'd like to filter on as that is the av program. Can anyone point me in the right direction... Should point out that I am very new to Splunk and don't know much about the build in searching tools (reading doc now)

Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Looking high level, you have two different options. If your logs are absolutely filled with those entries, you can filter them out altogether so that they won't be in Splunk. How to do that is dependent on how you are getting the event log data into Splunk (e.g., WMI, Lasso, etc.). Answers.splunk.com and Splunk Documentation is filled with questions about how to do that, but here's a couple that might be useful:

A simpler approach, though, would be to just exclude it from your search. For example, if a search for Windows Security Event Logs is sourcetype=windows_security you could run:

sourcetype=windows_security NOT "Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe"

That will leave you with the security event log information, excluding the AV activity. Apart from cleanliness and speed, the big advantage of the first approach is that it won't count against your quota.

Hopefully that answers your question.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Looking high level, you have two different options. If your logs are absolutely filled with those entries, you can filter them out altogether so that they won't be in Splunk. How to do that is dependent on how you are getting the event log data into Splunk (e.g., WMI, Lasso, etc.). Answers.splunk.com and Splunk Documentation is filled with questions about how to do that, but here's a couple that might be useful:

A simpler approach, though, would be to just exclude it from your search. For example, if a search for Windows Security Event Logs is sourcetype=windows_security you could run:

sourcetype=windows_security NOT "Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe"

That will leave you with the security event log information, excluding the AV activity. Apart from cleanliness and speed, the big advantage of the first approach is that it won't count against your quota.

Hopefully that answers your question.

View solution in original post

0 Karma

New Member

Thanks, that regex string did it! I really appreciate the help.

0 Karma

New Member

Thank you very much, I am trying that now! I appreciate the help, my regex looked nothing like that...

0 Karma

Splunk Employee
Splunk Employee

Ah, yeah. That does sound like a regex issue, if you're able to filter out other events from the source. I'd go with the regex:
Image File Name: .*?InoRT.exe
myself. That should match InoRT.exe anywhere in the event, which I'd guess is good enough for your needs. You should be able to use the full string, but you'll likely need to escape the slashes. I haven't done event filtering myself, but I would expect that you would need to replace every \ with \.

0 Karma

New Member

Thank you I'll try this, Yeah I tried filtering it in the props and transforms files but couldn't get the regex to work right. I am filtering on multiple system accounts succesfully at the moment so I'm fairly certain it is just a matter of getting the proper regex string. I am using WMI to get the EV logs from my windows servers.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!