Splunk Search

REGEX problem transforms.conf WinEventLog:Security

Explorer

Hey, Im having problems with my REGEX expression, Im trying to filter out the following

If an event has Type = Success Audit OR [Type = Information AND Keywords = Audit Success]

The below event should get filtered out:

**06/16/11 03:32:33 PMLogName=SecuritySourceName=Microsoft Windows security auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403184238
Show all 30 lines
host=DBPP-AD1-08 Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options| Keywords=Audit Success Options| Type=Information Options
**

transforms.conf

[nullFilter]

REGEX = (?m)^(Type= Success Audit) | (Type = information && Keywords = Success Audit)

DEST_KEY = queue

FORMAT = nullQueue

Thanks for the help!**

0 Karma

Path Finder

Try one at a time - then try and expand it, also I notice you have spaces in your regex?

If you need 2 then do something like this:
props.conf:
TRANSFORMS-set = setnullevents1,setnullevents2

and then transforms.conf:

[setnullevents1]
blah

[setnullevents2]
blah

From our working one to filter out specific hosts and events:

[setnullevents]
REGEX = (?ms)(EventCode=(17503|6105|6107|6106|6201)\D).*(ComputerName=(COMP-001|COMP-002|COMP-003))

DEST_KEY = queue

FORMAT = nullQueue

SplunkTrust
SplunkTrust

You may want to try:
REGEX = (?m)^(Type=Success\sAudit)|(Keywords=Audit\sSuccess.*Type=Information\sOptions)

SplunkTrust
SplunkTrust

Posted this yesterday, but it didn't seem to take. Based on the event shown in the email I got, here is another regex to try:
Type=Information\n(.*\n)+Keywords=Audit\sSuccess|Type=Success\sAudit

0 Karma

SplunkTrust
SplunkTrust

There was a comment which came through email, but not displayed here which showed the event data. Another regex to try:

Type=Information\n(.*\n)*Keywords=Audit\sSuccess|Type=Success\sAudit

0 Karma

Explorer

06/16/11 05:52:59 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=5145

EventType=0

Type=Information

ComputerName=DBPP-AD1-08.UOMS.IE

TaskCategory=Detailed File Share

OpCode=Info

RecordNumber=403262630

Keywords=Audit Success

Message=A network share object was checked to see whether client can be granted desired access.

0 Karma

Explorer

I tried putting in (.*) as you suggested so I can see the transform is working, as I see nothing coming in.
No the events arent displaying correctly here which is a bit annoying, it seems to ignore the line breaks. Ill try to print what its like on splunk web with spaces inbetween lines

0 Karma

SplunkTrust
SplunkTrust

You can change the regex to something which will always capture (like (.*)) to make sure Splunk is picking up the transform.

Also, is the event displaying correctly on the Answers site (with line breaks, etc)?

0 Karma

Explorer

I tried taking it out, but still nothing, everything seems to get though...

Its very strange, Here the directory I have the two files in.. any reason why you think its failing to capture?

uoms@DBPP-Splunk:/opt/splunk/etc/system/local$ ls -la

-rwxrwxr-x 1 splunk splunk 18665 2011-06-13 17:15 props.conf

-rwxrwxr-x 1 splunk splunk 10793 2011-06-16 17:35 transforms.conf

Thanks,

0 Karma

SplunkTrust
SplunkTrust

if you take out the "(?m)^" at the start of the regex, does that help?

0 Karma

Explorer

auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403243973Keywords=Audit SuccessMessage=The Windows Filtering Platform has permitted a connection.Application Information: Process ID: 780 Application Name: \device\harddiskvolume2\windows\system32\svchost.exeNetwork Information: Direction: Inbound Source Address: 10.10.10.1 Source Port: 135 Destination Address: 10.10.12.184 Destination Port: 2562 Protocol: 6Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

0 Karma

Explorer

Thanks dshpritz, but I still get all these types in new searches of sourcetype="WinEventLog:Security"
I restarted the splunk after editing the transforms.conf.
Here is my props.conf:

[source::WinEventLog:Security]

TRANSFORMS-nullQ= nullFilter

Iv added an event below that came in after the modification.

0 Karma