Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

filter WinEventLog:Security by Account Name

jturnerrdba
New Member
‎02-08-2013 07:17 AM

I'm running Splunk 5.0 build 140868 on a Windows 2008 R2 server. I'm trying to Audit file and folder deletes on this server, but the appropriate way to do this is to log for everyone. My Splunk service account, splunkrdba, makes changes to it's logs constantly, so I want to send these events to the null queue, but I'm having issues with the Regex. Below see my most recent props.conf, transforms.conf, and a sample log that I'm trying to prevent.

Props.conf
[WinEventLog:Security]
TRANSFORMS-wmi= wminull

Transforms.conf
[wminull]
REGEX = (?msi)^Accoung_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue

02/08/2013 09:32:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName= X
TaskCategory=File System
OpCode=Info
RecordNumber=3184693
Keywords=Audit Success
Message=An object was deleted.

Subject:
Security ID: RDBA\splunkrdba
Account Name: splunkrdba
Account Domain: RDBA
Logon ID: 0xb8bbf7

Object:
Object Server: Security
Handle ID: 0x64

Process Information:
Process ID: 0x1b00
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}

Collapse back to 10 lines

host=RDBALOG-002   Options|  
sourcetype=WinEventLog:Security   Options|  
source=WinEventLog:Security   Options
0 Karma
Reply

jturnerrdba
New Member
‎02-11-2013 10:23 AM

I've finally gotten this to work on my own.

A few things changed.

1) I upgraded to the newest version of Splunk
2) I changed the regex statement to be just regex = splunkrdba
3) I change transforms.conf to be FORMAT = nullQueue

I believe the 1st didn't really do much, but I wanted to mention it. I think the second one finally caught what I wanted without catching anything else, and I believe the capital Q is necessary. Hope this helps someone else.

0 Karma
Reply

jturnerrdba
New Member
‎02-08-2013 12:35 PM

Just as an FYI, I noticed a typo in this. Transforms.conf now reads as below. This did not fix the issue however.

[wminull]
REGEX = (?msi)^Account_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...