- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: REGEX issue with multiple criteria
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REGEX issue with multiple criteria
Hi All,
I'm trying to filter our file audit logs, however I would like for it to ignore any files ending in .tmp
I can't seem to get the below to work properly... it seems to match on the event code and the Accesses but completely miss the Object Name for some reason?
REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?!.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)
An example log is:
20110309155132.000000
Category=3
CategoryString=Object Access
ComputerName=ComputerName
EventCode=560
EventIdentifier=560
EventType=4
Logfile=Security
RecordNumber=2572431
SourceName=Security
TimeGenerated=20110309155132.000000+600
TimeWritten=20110309155132.000000+600
Type=Audit Success
User=Username
wmi_type=WinEventLog:Security
Message=Object Open:
Object Server: Security
Object Type: File
Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp
Handle ID: 7420
Operation ID: {0,239001151}
Process ID: 4
Image File Name:
Primary User Name: SERVER$
Primary Domain: XXX
Primary Logon ID: (0x0,0x3E7)
Client User Name: User
Client Domain: Domain
Client Logon ID: (0x0,0xBA49FA7)
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080
Any idea's as to where I'm going wrong would be appreciated....
Thanks,
DB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this one:
REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?<!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)
But I wonder if simply using "." to match over several lines really works. You can also try something like this:
REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just tried something like this and it seems to work:
(?msi)^EventCode=(540|567|560).Object Name:..tmp.*Accesses:\s(DELETE|WRITE_DAC|WriteData)
I couldn't try your exact pattern, but used a similar expression.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any other idea's??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There... sorry, but neither of the above works....
Any other suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, I've posted an example log above now.... thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sample log records ?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
