Splunk Search

How to exclude the Windows events with Splunk process before indexing?

kiran331
Builder

Hi,

I see a lot of events in Windows logs with Process splunk-regmon, powershell etc. Is there a way to exclude the processes before indexing?

message contains:

C:\Program Files\SplunkUniversalForwarder\bin\*
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
following http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad put in your indexers something like this:

in props.conf

[WinEventLog:Security]
 TRANSFORMS-set-exclude=set_exclude,set_nullqueue

in transforms.conf

[set_exclude]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

 [set_nullqueue]
 REGEX=C:\\Program Files\\SplunkUniversalForwarder\\bin\\\*
 DEST_KEY=queue
 FORMAT=nullQueue

Bye.
Giuseppe

View solution in original post

0 Karma

sbbadri
Motivator

@kiran331

[WinEventLog:Security]
blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*"

I hope New_Process_Name as been extracted.

or

[WinEventLog:Security]
blacklist3 = EventCode="4688" Message="A new process has been created."

0 Karma

kiran331
Builder

I tried blacklist3 = EventCode="4688" New_Process_Name="C:\Program Files\SplunkUniversalForwarder\bin\*", it dint worked

0 Karma

adonio
SplunkTrust
SplunkTrust

you are missing a "\" at the end after bin\
there supposed to be 2 of them \

0 Karma

adonio
SplunkTrust
SplunkTrust

i think its better to disable the monitoring of regmon if possible
if you want to filter events, start here:
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad
hope it helps

0 Karma

kiran331
Builder

Hi Adonio,

I tried

blacklist3 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" in inputs.conf, its not working. Is there anything I have to change in it.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!