I want to filter out Windows security events whose TaskCategory begins with "Kerberos".
props.conf
[source::WinEventLog:Security]
TRANSFORMS-Drop_TaskCategory = Drop_Kerberos, Drop_FilteringPlatform
transforms.conf
[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\sPlatform
DEST_KEY=queue
FORMAT=nullQueue
[Drop_Kerberos]
REGEX=(?msi)^TaskCategory=Kerberos
DEST_KEY=queue
FORMAT=nullQueue
The Filtering Platform... events are filtered out but the Kerberos... events are not.
Anyone with Windows 2008 servers can get plenty of examples from the Splunk query:
TaskCategory="Filtering Platform*" OR TaskCategory="Kerberos*"
Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.
This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder
Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.
This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder
Here's an example event:
08/09/11 12:09:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=XXXX.YYYY.ZZZZ
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=166028364
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: XXXX$
Supplied Realm Name: YYYY.ZZZZ
User ID: S-1-5-21-9999999999-9999999999-9999999999-9999
Service Information:
Service Name: krbtgt
Service ID: S-1-5-21-9999999999-9999999999-9999999999-999
Network Information:
Client Address: ::ffff:999.999.999.999
Client Port: 13340
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
I think that the fields in the raw text of the event are delimted by : rather than =. I don't have access to events from a windows machine (so not 100% sure) - it would be great if you posted a sample event that you're trying to filter out though
If the fields are delimted by : then the following would do what you want
[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory[=:]Filtering\\sPlatform
DEST_KEY=queue
FORMAT=nullQueue
[Drop_Kerberos]
REGEX=(?msi)^TaskCategory[=:]Kerberos
DEST_KEY=queue
FORMAT=nullQueue
I checked by doing a
source=WinEventLog:Security TaskCategory=Kerberos* | eval raw=_raw | table raw
And fields are definitely delimited by =