Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

remove events from Windows security

Esky73
Builder
‎06-03-2017 08:35 AM

Receiving windows security logs from UF's

I have a created an app on my HF and put transforms and props in the local folder as such:

[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db

[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue

However i'm still seeing windows eventlogs coming through to my splunk instance like the following:

D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Tags (1)
0 Karma
Reply

tlam_splunk
Splunk Employee
Splunk Employee
‎06-05-2017 08:53 PM

Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 08:52 AM

Try this:

[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue

Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).

0 Karma
Reply

Esky73
Builder
‎06-03-2017 04:22 PM

so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 04:38 PM

Yes, it will work for HF; I should have written your parsing servers instead of Indexers.

0 Karma
Reply

Esky73
Builder
‎06-03-2017 05:41 PM

applied to the HF and restarted HF still events being seen.

Also added:

[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue

which looks right (In regex101.com)

however also doesnt stop the events

props and transforms are located in :

C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local

0 Karma
Reply

Esky73
Builder
‎06-04-2017 06:24 PM

I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..

Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top