Solved: Re: Not working SEDCMD. Props.conf. help

gitingua · ‎11-18-2021

Not working SEDCMD in my props.conf

/opt/splunk/etc/system/local/props.conf

[ActiveDirectory]

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/

I checked it on regex101.com everything works.

wrote a line in props.conf and reloaded splunk. but still hides nothing

gitingua · ‎11-23-2021

You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “ActiveDirectory”. This means, as the data is streaming into Splunk and before it ends up on disk “indexed”, it will be anonymised. To do this we utilise the Splunk “SEDCMD”. This is much like the sed command you would find on a *nix based system. Ideally the props.conf file should be placed on a Splunk Heavy Forwarder on it’s path towards the Indexer, you could place this configuration on an indexer, but to avoid potential performance issues try use a Splunk Heavy Forwarder.

deploy-server vim /opt/splunk/etc/deployment-apps/Splunk_TA_windows

# props.conf on a HF. 
[ActiveDirectory]
SEDCMD-anonymiseLaps = s/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g

save

deploy-server$ /opt/splunk/bin/splunk reload deploy-server

View solution in original post

gitingua · ‎11-23-2021

You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “ActiveDirectory”. This means, as the data is streaming into Splunk and before it ends up on disk “indexed”, it will be anonymised. To do this we utilise the Splunk “SEDCMD”. This is much like the sed command you would find on a *nix based system. Ideally the props.conf file should be placed on a Splunk Heavy Forwarder on it’s path towards the Indexer, you could place this configuration on an indexer, but to avoid potential performance issues try use a Splunk Heavy Forwarder.

deploy-server vim /opt/splunk/etc/deployment-apps/Splunk_TA_windows

# props.conf on a HF. 
[ActiveDirectory]
SEDCMD-anonymiseLaps = s/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g

save

deploy-server$ /opt/splunk/bin/splunk reload deploy-server

richgalloway · ‎11-18-2021

It would help to see a full event as it appears as though the current SEDCMD will replace everything that follows "ms-Mcs-AdmPwd=", not just the password. Please post the event as text rather than a screenshot so we can test with it.

Recall that changes to SEDCMD affect only new data and not data that is already indexed.

---
If this reply helps you, Karma would be appreciated.

gitingua · ‎11-18-2021

@richgalloway I know what's new. new events do not change

ms-Mcs-AdmPwd=a01LePq5

exactly what is needed. or the desired complete

richgalloway · ‎11-18-2021

Try this regex.

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g

---
If this reply helps you, Karma would be appreciated.

gitingua · ‎11-18-2021

not working

i changed and rebooted at 18:52. at 18:55 the event came as before

props.conf

[ActiveDirectory]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*)

EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?<guid_lookup>[\w\-]+)

EXTRACT-SID = objectSid\s*=\s*(?<sid_lookup>\S+)

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g

Maybe something from the other lines bothers him?

richgalloway · ‎11-18-2021

Would you mind sharing the raw event? That is what SEDCMD sees so it's what we should be working with.

---
If this reply helps you, Karma would be appreciated.

gitingua · ‎11-22-2021

@richgalloway

no access to raw data. but I found a question similar to mine. and there are sources where they show an example. I drove them but also unsuccessfully

https://community.splunk.com/t5/Getting-Data-In/ms-Mcs-AdmPwd-Plaintext-in-Splunk/td-p/562704

richgalloway · ‎11-22-2021

Where are you putting the props.conf file? It must be on the indexers and, if you have them, heavy forwarders. The instances must be restarted after making changes.

---
If this reply helps you, Karma would be appreciated.