Solved: How to Filter out Windows event logs XML format?

avivfri · ‎03-24-2022

Hello
we are trying to add filter on the input of windows event log.

the input conf is:

[WinEventLog://Security]
disabled = 0
index = windows
blacklist1 = 5145,5156
blacklist2 = EventCode=4672 SubjectUserName="exchange\$"
renderXml=true
suppress_text=true
supress_sourcename=true
supress_keywords=true
suppress_task=true
suppress_opcode=true

blacklist1 is working good, but blacklist2 is not working.
the target is to filter out the event id 4672 with the SubjectUserName equals to "exchange$".

any ideas?

Thank you

PickleRick · ‎03-27-2022

On UF? Unless you write your own input program, I don't think so. You can filter them at first "heavy" component (heavy forwarder or indexer) in the path.

See https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad

View solution in original post

richgalloway · ‎03-24-2022

blacklist2 isn't working because SubjectUserName is not a supported key.

From inputs.conf.spec:

The key must belong to the set of valid keys provided below.
* Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User

---
If this reply helps you, Karma would be appreciated.

avivfri · ‎03-26-2022

Hi

Thank you for your answer.

this is an example for the log I want to filter out:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{GUID}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-03-27T06:12:23.991443700Z'/><EventRecordID>4172712244</EventRecordID><Correlation ActivityID='ID'/><Execution ProcessID='1096' ThreadID='1486900'/><Channel>Security</Channel><Computer>exchange</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>SID</Data><Data Name='SubjectUserName'>exchange$</Data><Data Name='SubjectDomainName'>AD</Data><Data Name='SubjectLogonId'>0x63767d73d</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeDelegateSessionUserImpersonatePrivilege
			SeDebugPrivilege</Data></EventData></Event>

will the field SubjectUserName be mapped to User?

Thank you

PickleRick · ‎03-27-2022

No, at the input level nothing is "mapped". Nothing is even parsed apart from splitting the input stream into events.

avivfri · ‎03-27-2022

understood.

so it is possible to filter these kind of events?

PickleRick · ‎03-27-2022

On UF? Unless you write your own input program, I don't think so. You can filter them at first "heavy" component (heavy forwarder or indexer) in the path.

See https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad

How to Filter out Windows event logs XML format?

configuration

using Splunk Enterprise

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!