Getting Data In

filter WinEventLog:Security by Account Name

New Member

I'm running Splunk 5.0 build 140868 on a Windows 2008 R2 server. I'm trying to Audit file and folder deletes on this server, but the appropriate way to do this is to log for everyone. My Splunk service account, splunkrdba, makes changes to it's logs constantly, so I want to send these events to the null queue, but I'm having issues with the Regex. Below see my most recent props.conf, transforms.conf, and a sample log that I'm trying to prevent.

TRANSFORMS-wmi= wminull

REGEX = (?msi)^Accoung_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue

02/08/2013 09:32:55 AM
SourceName=Microsoft Windows security auditing.
ComputerName= X
TaskCategory=File System
Keywords=Audit Success
Message=An object was deleted.

Security ID: RDBA\splunkrdba
Account Name: splunkrdba
Account Domain: RDBA
Logon ID: 0xb8bbf7

Object Server: Security
Handle ID: 0x64

Process Information:
Process ID: 0x1b00
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}

Collapse back to 10 lines

host=RDBALOG-002   Options|  
sourcetype=WinEventLog:Security   Options|  
source=WinEventLog:Security   Options
0 Karma

New Member

I've finally gotten this to work on my own.

A few things changed.

1) I upgraded to the newest version of Splunk
2) I changed the regex statement to be just regex = splunkrdba
3) I change transforms.conf to be FORMAT = nullQueue

I believe the 1st didn't really do much, but I wanted to mention it. I think the second one finally caught what I wanted without catching anything else, and I believe the capital Q is necessary. Hope this helps someone else.

0 Karma

New Member

Just as an FYI, I noticed a typo in this. Transforms.conf now reads as below. This did not fix the issue however.

REGEX = (?msi)^Account_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue

0 Karma