Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex match on "message" portion of event

montydo
Explorer
‎01-20-2020 03:04 AM

From the splunk windows_TA guide

"The following keys are equivalent to the fields which appear in the text of
the acquired events: Category CategoryString ComputerName EventCode
EventType Keywords LogName **Message** OpCode RecordNumber Sid SidType
SourceName TaskCategory Type User"

I'm trying to filter on the contents of the "Message" field:

An operation was attempted on a privileged object. Subject: Security ID:    ROOT\username Account Name: username Account Domain:    DOMAINNAME Logon ID:    0x200ABCD1 Object: Object Server:   Security Object Type:   - Object Name:  - Object Handle: 0x1234 Process Information: Process ID:    0x12A3 Process Name:    **C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe** Requested Operation: Desired Access:   1234567 Privileges: SeTakeOwnershipPrivilege

I'm looking to match on the "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" portion and discard the events through a blacklist stanza in the inputs.conf on the Universal Forwarder.

Something like:

blacklist3 = | key=regex [key=REGEXHERE?]

Is this possible? and can anyone help with the regex?

Tags (2)
0 Karma
Reply

damann
Communicator
‎01-20-2020 04:09 AM

Try this for your blacklisting.
Make sure you escape your backslashes and your dots as they would be interpreted as wildcards.

blacklist3 = Message="Process Name:\s+\*\*C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam\.backup\.shell\.exe"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 04:07 AM

Hi @montydo,
let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?
if this is your need you should use something like this:

[WinEventLog://Security]
disabled = 0
start_from = newest
blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe
index = wineventlog

otherwise, you can filter these events on Indexers before indexing (see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_... ) using the same regex.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...