Hey, Im having problems with my REGEX expression, Im trying to filter out the following
If an event has Type = Success Audit OR [Type = Information AND Keywords = Audit Success]
The below event should get filtered out:
**06/16/11 03:32:33 PMLogName=SecuritySourceName=Microsoft Windows security auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403184238
Show all 30 lines
host=DBPP-AD1-08 Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options| Keywords=Audit Success Options| Type=Information Options**
transforms.conf
[nullFilter]
REGEX = (?m)^(Type= Success Audit) | (Type = information && Keywords = Success Audit)
DEST_KEY = queue
FORMAT = nullQueue
Thanks for the help!**
Try one at a time - then try and expand it, also I notice you have spaces in your regex?
If you need 2 then do something like this:
props.conf:
TRANSFORMS-set = setnullevents1,setnullevents2
and then transforms.conf:
[setnullevents1]
blah
[setnullevents2]
blah
From our working one to filter out specific hosts and events:
[setnullevents]
REGEX = (?ms)(EventCode=(17503|6105|6107|6106|6201)\D).*(ComputerName=(COMP-001|COMP-002|COMP-003))
DEST_KEY = queue
FORMAT = nullQueue
You may want to try:
REGEX = (?m)^(Type=Success\sAudit)|(Keywords=Audit\sSuccess.*Type=Information\sOptions)
Posted this yesterday, but it didn't seem to take. Based on the event shown in the email I got, here is another regex to try:
Type=Information\n(.*\n)+Keywords=Audit\sSuccess|Type=Success\sAudit
There was a comment which came through email, but not displayed here which showed the event data. Another regex to try:
Type=Information\n(.*\n)*Keywords=Audit\sSuccess|Type=Success\sAudit
06/16/11 05:52:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=DBPP-AD1-08.UOMS.IE
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=403262630
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
I tried putting in (.*) as you suggested so I can see the transform is working, as I see nothing coming in.
No the events arent displaying correctly here which is a bit annoying, it seems to ignore the line breaks. Ill try to print what its like on splunk web with spaces inbetween lines
You can change the regex to something which will always capture (like (.*)) to make sure Splunk is picking up the transform.
Also, is the event displaying correctly on the Answers site (with line breaks, etc)?
I tried taking it out, but still nothing, everything seems to get though...
Its very strange, Here the directory I have the two files in.. any reason why you think its failing to capture?
uoms@DBPP-Splunk:/opt/splunk/etc/system/local$ ls -la
-rwxrwxr-x 1 splunk splunk 18665 2011-06-13 17:15 props.conf
-rwxrwxr-x 1 splunk splunk 10793 2011-06-16 17:35 transforms.conf
Thanks,
if you take out the "(?m)^" at the start of the regex, does that help?
auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403243973Keywords=Audit SuccessMessage=The Windows Filtering Platform has permitted a connection.Application Information: Process ID: 780 Application Name: \device\harddiskvolume2\windows\system32\svchost.exeNetwork Information: Direction: Inbound Source Address: 10.10.10.1 Source Port: 135 Destination Address: 10.10.12.184 Destination Port: 2562 Protocol: 6Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44
Thanks dshpritz, but I still get all these types in new searches of sourcetype="WinEventLog:Security"
I restarted the splunk after editing the transforms.conf.
Here is my props.conf:
[source::WinEventLog:Security]
TRANSFORMS-nullQ= nullFilter
Iv added an event below that came in after the modification.