Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude the Windows events with Splunk process before indexing?

kiran331
Builder
‎07-28-2017 09:40 AM

Hi,

I see a lot of events in Windows logs with Process splunk-regmon, powershell etc. Is there a way to exclude the processes before indexing?

message contains:

C:\Program Files\SplunkUniversalForwarder\bin\*
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2017 07:43 AM

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2017 07:43 AM

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-28-2017 12:36 PM

@kiran331

[WinEventLog:Security]
blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*"

I hope New_Process_Name as been extracted.

or

[WinEventLog:Security]
blacklist3 = EventCode="4688" Message="A new process has been created."

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎07-31-2017 07:33 AM

I tried blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*", it dint worked

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-31-2017 07:37 AM

you are missing a "\" at the end after bin\
there supposed to be 2 of them \

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-28-2017 10:32 AM

i think its better to disable the monitoring of regmon if possible
if you want to filter events, start here:
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad
hope it helps

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎07-28-2017 12:00 PM

Hi Adonio,

I tried

blacklist3 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" in inputs.conf, its not working. Is there anything I have to change in it.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...