Splunk Search

How to exclude the Windows events with Splunk process before indexing?

kiran331
Builder

Hi,

I see a lot of events in Windows logs with Process splunk-regmon, powershell etc. Is there a way to exclude the processes before indexing?

message contains:

C:\Program Files\SplunkUniversalForwarder\bin\*
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

0 Karma

sbbadri
Motivator

@kiran331

[WinEventLog:Security]
blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*"

I hope New_Process_Name as been extracted.

or

[WinEventLog:Security]
blacklist3 = EventCode="4688" Message="A new process has been created."

0 Karma

kiran331
Builder

I tried blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*", it dint worked

0 Karma

adonio
Ultra Champion

you are missing a "\" at the end after bin\
there supposed to be 2 of them \

0 Karma

adonio
Ultra Champion

i think its better to disable the monitoring of regmon if possible
if you want to filter events, start here:
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad
hope it helps

0 Karma

kiran331
Builder

Hi Adonio,

I tried

blacklist3 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" in inputs.conf, its not working. Is there anything I have to change in it.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...