Hello,
I want to exclude all the WinEventLogs for service C:\Windows\System32\svchost.exe which doesnt contain the default path. So for example I don't want to see all the svchost.exe services which are in this path C:\Windows\System32\
If the svchost.exe service is in any different path (e.g. C:\Windows\svchost.exe) I want to get alert on it.
Any ideas how to do it in most efficient way?
Thanks,
K.
I'm not 100% sure if my answer is what you're looking for, but please see below, if not, leave a comment and i'll get back to you
if you're trying to send an alert if a field matches what you expect
then use a simple if statement, eval SendAlert=if(eval(match(fieldname, "{Either regex or string}")),1,0)
Then your alert settings should be to send an alert if any event has a field SendAlert set to 1.
Don't forget to comment if this isn't what you're looking for
Could you post a couple of sample events? You could try extracting the process name into a field and then searching for field_name != "c:\Windows\system32\svchost.exe"
Typically your search would be similar to ..
<your sourcetype> | rex _raw "Process Name: (?<process_name>[^ ]+)" | search <your sourcetype> process_name !="c:\Windows\system32\svchost.exe"
If you can post sample events, I can confirm the regular expression.
Here is a sample log:
Access_Mask = 0x2
Access_Reasons = -
Accesses = Unknown specific access (bit 1)
Account_Domain =
Account_Name =
ComputerName =
EventCode = 4656
EventCodeDescription = A handle to an object was requested
EventType = 0
Handle_ID = 0x0
Keywords = Audit Success
LogName = Security
Logon_ID = 0x3e7
Message = A handle to an object was requested.
Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
Object_Name = PlugPlaySecurityObject
Object_Server = PlugPlayManager
Object_Type = Security
OpCode = Info
Privileges_Used_for_Access_Check = -
Process_ID = 0x244
Process_Name = C:\Windows\System32\svchost.exe
RecordNumber = 78829788
Restricted_SID_Count = 0
Security_ID = NT AUTHORITY\SYSTEM
SourceName = Microsoft Windows security auditing.
TaskCategory = Other Object Access Events
Transaction_ID = {00000000-0000-0000-0000-000000000000}
Type = Information
action = failure
action_name = login_fail
action_title = Failed Login
dest = AZA2MGTXXSQM001
eventtype = wst_authentication authentication
host =
index = gis_wst
linecount = 37
punct = //::\r=\r=.\r=\r=\r=\r=..\r=\r=\r=\r=\r=_____.\r\r\r\r:
source = WinEventLog:Security
sourcetype = WinEventLog:Security
splunk_server = tag = authentication
I've edited my regex. That should work.
Thanks,
havent used extraction in the search ever, so this is what is my search query:
sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"
and this is what i get:
Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).
sorry the query is this:
sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"
Try this:
sourcetype="WinEventLog:Security" | rex field=_raw "Process Name: (?<process_name>[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"
Here it is what's worked for me:
| rex field=unparsed_message "(?P[A-Za-z]:\[^|]+)" | rex field=fullpath "(?P.)\\." | rex field=fullpath "(?P\w+.\w+)"
Hello, thanks for this. As for sample events so they are pretty much the same in the raw logs I have the fields ProcessName indexed and extracted which is usually the path and the process I am looking for ProcessName= "c:\Windows\system32\svchost.exe". I imagine how I could end up if I had two separate fields for the path and another for the process itself, but at the moment I am struggling while having everything just in one field. The field in the raw logs is always the same as above example. What I am trying to accomplish is to set up some rules to monitor default processes which start in non-default Windows locations.
Additionally there is only one field which includes process name within raw logs - "Process Name: C:\Windows\System32\svchost.exe"