Splunk Search

Problems with Regex and 3 Criteria Fields.....

Scarecrowddb
Explorer

Hi All,

I'm trying to filter our logs, however I would like for it to filter on 3 criteria - the event code, the Object name and the Accesses fields....

I can't seem to get the below to work properly... If I take out the 'Object Name:\s*(?!.tmp).*' it will filter on the other two, however with all three it doesn't work...

I would like for it to check that the event code is either 4663,567 or 560, then make sure that the Object Name does not end with .tmp, and finally that the Accesses where DELETE or WRITE_DAC or WriteData...

There's something that I'm obviously missing that I really need some help with... any help would be greatly appreciated...

REGEX = (?msi)EventCode=(4663|567|560).*Object Name:\s*(?!\.tmp).*Accesses:\s*(DELETE|WRITE_DAC|WriteData)

For the record, I've also tried the below without success:

REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)  

REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData)

An example log is:

20110309155132.000000
Category=3
CategoryString=Object Access
ComputerName=ComputerName
EventCode=560
EventIdentifier=560
EventType=4
Logfile=Security
RecordNumber=2572431
SourceName=Security
TimeGenerated=20110309155132.000000+600
TimeWritten=20110309155132.000000+600
Type=Audit Success
User=Username
wmi_type=WinEventLog:Security
Message=Object Open:
Object Server: Security Object Type: File Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp Handle ID: 7420 Operation ID: {0,239001151} Process ID: 4 Image File Name:
Primary User Name: SERVER$ Primary Domain: XXX Primary Logon ID: (0x0,0x3E7) Client User Name: User Client Domain: Domain Client Logon ID: (0x0,0xBA49FA7) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080

Any idea's as to where I'm going wrong would be appreciated....

Thanks,

DB

0 Karma

Hajime
Path Finder

Hello DB,

Try this one:

REGEX = (?msi)^EventCode=(4663|567|560).*Object Name:.*\.tmp\s.*Accesses:\s(DELETE|WRITE_DAC|WriteData)

0 Karma

Hajime
Path Finder

I understand you don't want select any .tmp files.
But I think it is difficult to exclude .tmp files.
The reason can not use "(?!.tmp)" and "(?<!.tmp)" because there are no clear boundaries.
...If you want to search, I think that you extract "Object Name" field and adding the searching conditions: | regex field!=ObjectName ".tmp$"

0 Karma

Scarecrowddb
Explorer

Yeah I know... it's driving me crazy... the problem is that I don't want it to select any of the .tmp files... So there really needs to be a Not in there.. So basically I want the below log:

EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst
Accesses: DELETE

But not:

EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst.tmp
Accesses: DELETE

0 Karma

Hajime
Path Finder

Hmm, it's difficult... How about this one.
REGEX = (?msi)^EventCode=(4663|567|560).Object Name:\t+..tmp.*Accesses:\t+(DELETE|WRITE_DAC|WriteData)

0 Karma

Scarecrowddb
Explorer

Sorry, but that didn't work... any other idea's? it's driving me crazy!

Cheers,

David.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...