Splunk Search

Problems with Regex and 3 Criteria Fields.....

Scarecrowddb
Explorer

Hi All,

I'm trying to filter our logs, however I would like for it to filter on 3 criteria - the event code, the Object name and the Accesses fields....

I can't seem to get the below to work properly... If I take out the 'Object Name:\s*(?!.tmp).*' it will filter on the other two, however with all three it doesn't work...

I would like for it to check that the event code is either 4663,567 or 560, then make sure that the Object Name does not end with .tmp, and finally that the Accesses where DELETE or WRITE_DAC or WriteData...

There's something that I'm obviously missing that I really need some help with... any help would be greatly appreciated...

REGEX = (?msi)EventCode=(4663|567|560).*Object Name:\s*(?!\.tmp).*Accesses:\s*(DELETE|WRITE_DAC|WriteData)

For the record, I've also tried the below without success:

REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)  

REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData)

An example log is:

20110309155132.000000
Category=3
CategoryString=Object Access
ComputerName=ComputerName
EventCode=560
EventIdentifier=560
EventType=4
Logfile=Security
RecordNumber=2572431
SourceName=Security
TimeGenerated=20110309155132.000000+600
TimeWritten=20110309155132.000000+600
Type=Audit Success
User=Username
wmi_type=WinEventLog:Security
Message=Object Open:
Object Server: Security Object Type: File Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp Handle ID: 7420 Operation ID: {0,239001151} Process ID: 4 Image File Name:
Primary User Name: SERVER$ Primary Domain: XXX Primary Logon ID: (0x0,0x3E7) Client User Name: User Client Domain: Domain Client Logon ID: (0x0,0xBA49FA7) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080

Any idea's as to where I'm going wrong would be appreciated....

Thanks,

DB

0 Karma

Hajime
Path Finder

Hello DB,

Try this one:

REGEX = (?msi)^EventCode=(4663|567|560).*Object Name:.*\.tmp\s.*Accesses:\s(DELETE|WRITE_DAC|WriteData)

0 Karma

Hajime
Path Finder

I understand you don't want select any .tmp files.
But I think it is difficult to exclude .tmp files.
The reason can not use "(?!.tmp)" and "(?<!.tmp)" because there are no clear boundaries.
...If you want to search, I think that you extract "Object Name" field and adding the searching conditions: | regex field!=ObjectName ".tmp$"

0 Karma

Scarecrowddb
Explorer

Yeah I know... it's driving me crazy... the problem is that I don't want it to select any of the .tmp files... So there really needs to be a Not in there.. So basically I want the below log:

EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst
Accesses: DELETE

But not:

EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst.tmp
Accesses: DELETE

0 Karma

Hajime
Path Finder

Hmm, it's difficult... How about this one.
REGEX = (?msi)^EventCode=(4663|567|560).Object Name:\t+..tmp.*Accesses:\t+(DELETE|WRITE_DAC|WriteData)

0 Karma

Scarecrowddb
Explorer

Sorry, but that didn't work... any other idea's? it's driving me crazy!

Cheers,

David.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...