Hello everyone,
I´m trying to filter some Windows Security Event Logs that contains the machine name as the username.
To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local).
props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.*
DEST_KEY = queue
FORMAT = nullQueue
Is there any errors at my regex? Do I have to do something else?
I already put the files at the indexer too but I am still getting events.
Best Regards,
Caroline Fortunato
By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.
If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.
This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
Update:
A possible, more efficient regex. (Test with your actual events before using it)
REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]
By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.
If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.
This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
Update:
A possible, more efficient regex. (Test with your actual events before using it)
REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]
Hello Lowell,
I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder.
I put the files at the heavy forwarder machine and restarted Splunk and it worked.
Thanks for your help!
Regards,
Carol
Yeah, sorry missed that comment at the end the first time I read through it. I'm looking closer at the regex now. It looks inefficient, but not sure if it's actually wrong. Without a sample event it's difficult to say for sure. Have you tested it using any tools like Regexbuddy, or Kodos? Oh, keep in mind that the blog post is only relevant for the most recent versions of Splunk.
I placed the files at the indexer too but it didn´t work. I´ll have a look at the post.