Splunk Search
Highlighted

REGEX to filter out event records

New Member

At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3.

Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?

props.conf entry:

[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3

transforms.conf entry:

[Remove_Logon_Type_3]
REGEX=(?msi).*Logon Type:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue

Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type".

09/04/2013 06:18:26 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=SNODEV106
User=polypaths
Sid=S-1-5-21-1971354296-1767978563-709122288-167354
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3049159
Message=User Logoff:
        User Name:  polypaths
        Domain:     CGUSER
        Logon ID:   (0x0,0x644269C)
        Logon Type: 3

Please advise.
Thanks… Al

Tags (1)
0 Karma
Highlighted

Re: REGEX to filter out event records

Super Champion

Hello,
Yes, there is a way to test regex in a search. Use |regex _raw= as in the following.

index=main sourcetype="*security*" EventCode=538 |regex _raw=(?m).*Logon\sType:\s+3.*

I tested it and it worked. Try it in your transforms.conf.

0 Karma
Highlighted

Re: REGEX to filter out event records

Explorer

Belated thanks for your response, which did help us test regex from "Splunk Search". We were able to tweak as follows and successfully tested in our env: REGEX=_raw=(?msi).Logon\sType:\s3\D
.
However, we were still having issues with the actual regex configuration, where had done the following on the the heavy forwarder, but still could not filter out events.
props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=RemoveLogonType_3

transform.conf

[RemoveLogonType3]
REGEX=(?msi).Logon\sType:\s3\D
DEST
KEY=queue
FORMAT=nullQueue

Please let me know if any of the config info looks out of palce. And, feel free to post and additional comments, ideas, etc. Thanks again... Al

0 Karma
Highlighted

Re: REGEX to filter out event records

Super Champion

From what I understand, you have to discard everything before you keep something, or you have to keep everything before you discard something.

It would be the backwards version of this answer:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-un...

props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=KeepLogs,RemoveLogonType_3

transform.conf

[KeepLogs]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue

[RemoveLogonType3]
REGEX=(?msi).LogonsType:s3D
DEST
KEY=queue
FORMAT=nullQueue

I'll test this in the morning.

0 Karma
Highlighted

Re: REGEX to filter out event records

Path Finder

I use a blacklist stanza in the
inputs.conf file on UniversalForwarder
blacklist1 = Message=".Logon\sType:\s3\D"

0 Karma