Splunk Search

Odd escape handling with regex and rex? How do I cross-check an inputs.conf blacklist?

mbrownoutside
Path Finder

Hello,

I'm attempting to verify a blacklist parameter for a wineventlog stanza by using regex and rex in search and the escape character backslash (\) is being treated incorrectly by both regex and rex.

For instance, I know that splunk search uses PCRE for regex.

If the message field contents are as follows

A network share object was checked to see whether client can be granted desired access.

Subject:
  Security ID:      S-1-5-21-001
  Account Name:     testuser
  Account Domain:       CONTOSO
  Logon ID:     0xA04CAB48

Network Information:    
  Object Type:      File
  Source Address:       192.168.0.1
  Source Port:      62387

Share Information:
  Share Name:       \\*\uemprofiles
  Share Path:       \??\D:\UEM\uemprofiles
  Relative Target Name: testuser\favorites\thisisawebpage.url

Access Request Information:
  Access Mask:      0x2
  Accesses:     WriteData (or AddFile)

Access Check Results:
  WriteData (or AddFile):   Granted by  D:(A;;0x1301bf;;;WD)

Given the documentation on backslash escape chars (hxxps://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions), I believe all backslashes in a path ( \ ) must be stated within a regex as four backslashes ( \\\\ ).

Therefore, I expect to get match the above event with | regex Message="Share Path:\s*\\\\\?\?\\\\D" | rex "Share Path:\s*\\\\\?\?\\\\(?P<path>.*)" where path is then equal to D:\UEM\uemprofiles, and the rex works.

But given that regex how do i know for sure that this acts the same way as rex, and thusly how do I know that blacklist in inputs.conf will act this same way/

In fact, I have a feeling that blacklist does not require the additional backslash escape conditions. Is this correct?

Therefore, to blacklist these events (only when share path contains \??\D:) within an inputs.conf WinEventLog stanza, the following syntax should be used for a successful regex match:

blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"

Is this correct?

Thanks,

matt

0 Karma

mbrownoutside
Path Finder

After some testing, it's clear to use regular escape syntax:

blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!