Splunk Search

Odd escape handling with regex and rex? How do I cross-check an inputs.conf blacklist?

mbrownoutside
Path Finder

Hello,

I'm attempting to verify a blacklist parameter for a wineventlog stanza by using regex and rex in search and the escape character backslash (\) is being treated incorrectly by both regex and rex.

For instance, I know that splunk search uses PCRE for regex.

If the message field contents are as follows

A network share object was checked to see whether client can be granted desired access.

Subject:
  Security ID:      S-1-5-21-001
  Account Name:     testuser
  Account Domain:       CONTOSO
  Logon ID:     0xA04CAB48

Network Information:    
  Object Type:      File
  Source Address:       192.168.0.1
  Source Port:      62387

Share Information:
  Share Name:       \\*\uemprofiles
  Share Path:       \??\D:\UEM\uemprofiles
  Relative Target Name: testuser\favorites\thisisawebpage.url

Access Request Information:
  Access Mask:      0x2
  Accesses:     WriteData (or AddFile)

Access Check Results:
  WriteData (or AddFile):   Granted by  D:(A;;0x1301bf;;;WD)

Given the documentation on backslash escape chars (hxxps://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions), I believe all backslashes in a path ( \ ) must be stated within a regex as four backslashes ( \\\\ ).

Therefore, I expect to get match the above event with | regex Message="Share Path:\s*\\\\\?\?\\\\D" | rex "Share Path:\s*\\\\\?\?\\\\(?P<path>.*)" where path is then equal to D:\UEM\uemprofiles, and the rex works.

But given that regex how do i know for sure that this acts the same way as rex, and thusly how do I know that blacklist in inputs.conf will act this same way/

In fact, I have a feeling that blacklist does not require the additional backslash escape conditions. Is this correct?

Therefore, to blacklist these events (only when share path contains \??\D:) within an inputs.conf WinEventLog stanza, the following syntax should be used for a successful regex match:

blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"

Is this correct?

Thanks,

matt

0 Karma

mbrownoutside
Path Finder

After some testing, it's clear to use regular escape syntax:

blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"
0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...