Solved: Re: Saving License on Windows Events - Regex "This...

dieguiariel · ‎08-04-2020

Hi! i've been trying to regex some part of the windows events to save license. Many windows events contains a large part of text that begins with "This event is generated".

I've edited props.conf:

[source::WinEventLog:Security]
TRANSFORMS-removedescription = removeEventDesc1

and transforms.conf:

[removeEventDesc1]
LOOKAHEAD = 16128
REGEX = (?msi)(.*)This event is generated
DEST_KEY = _raw
FORMAT = $1

(based on this link https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk)

But isn't working.

There is another way to do this?

I've installed forwarders on my windows systems, and already blacklisted events with inputs.conf (that works)

Thanks in advance and sorry for my english, im from Paraguay.

dieguiariel · ‎08-07-2020

Thanks, ive installed the addon, create a serverclass with some windows and deploy the app to the servers and its working. It seems that this has changed also the format of logs to xml.

thanks!

View solution in original post

thambisetty · ‎08-04-2020

If you have already blacklisted on universal forwarder why do you want to do it at heavy forwarder level.

the best recommended way of blacklisting windows events is using universal forwarder.

————————————
If this helps, give a like below.

dieguiariel · ‎08-05-2020

So this regex must be on the universal forwarder app folder? I will try this too. Thanks for your reply

thambisetty · ‎08-05-2020

Okay. Please like the answer if it solves your questions.

————————————
If this helps, give a like below.

dieguiariel · ‎08-07-2020

i've manually edit the universal forwarder files on the windows machine but seems that this regex need the Windows addon, without it doesnt make any difference.

thambisetty · ‎08-07-2020

not really you just need inputs.conf, you don't need to push complete TA.

for example:

[WinEventLog://Security]
disabled = 0
index = windows
#blacklist1 = EventCode=%^4663$% # example blacklist all 4663 event codes
#blacklist6 = EventCode = "4663" Message = "Process Name:\s+\\Device\\HarddiskVolume6\\Tomcat\\bin\\Tomcat9.exe" # blacklist Tomcat from EventCode 4663

Note: blacklists statements are commented

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/MonitorWindowseventlogdata#Create_advanced_f...

————————————
If this helps, give a like below.

dieguiariel · ‎08-10-2020

Yes, i've successfully blacklisted and whitelisted events with eventcoodes just with inputs.conf, but i couldn't "filter" the text inside the event, i need one eventcode but i don't need the text inside the event that begins with "this event is generated..."

Only pushing the complete TA from windows i been able to do that. I get the event but not the part with "This event is generated..."

richgalloway · ‎08-04-2020

A slightly simpler method (from Splunk Add-on for Windows) uses SEDCMD

SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g

---
If this reply helps you, Karma would be appreciated.

dieguiariel · ‎08-05-2020

Hi, thanks for your response, I have a master server and an indexer server separately. I've installed the deployment server on the master. The Splunk Add-on for Windows must be installed in this case on both?

(based on https://docs.splunk.com/Documentation/WindowsAddOn/8.0.0/User/Install )

And later push the addon to the universal forwarders with the deployment server.

I will try this.

dieguiariel · ‎08-07-2020

Thanks, ive installed the addon, create a serverclass with some windows and deploy the app to the servers and its working. It seems that this has changed also the format of logs to xml.

thanks!

Saving License on Windows Events - Regex "This event..."

regex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!