I want to filter out Windows security events whose TaskCategory begins with "Kerberos".
[source::WinEventLog:Security] TRANSFORMS-Drop_TaskCategory = Drop_Kerberos, Drop_FilteringPlatform
[Drop_FilteringPlatform] REGEX=(?msi)^TaskCategory=Filtering\sPlatform DEST_KEY=queue FORMAT=nullQueue [Drop_Kerberos] REGEX=(?msi)^TaskCategory=Kerberos DEST_KEY=queue FORMAT=nullQueue
The Filtering Platform... events are filtered out but the Kerberos... events are not.
Anyone with Windows 2008 servers can get plenty of examples from the Splunk query:
TaskCategory="Filtering Platform*" OR TaskCategory="Kerberos*"
I think that the fields in the raw text of the event are delimted by : rather than =. I don't have access to events from a windows machine (so not 100% sure) - it would be great if you posted a sample event that you're trying to filter out though
If the fields are delimted by : then the following would do what you want
[Drop_FilteringPlatform] REGEX=(?msi)^TaskCategory[=:]Filtering\\sPlatform DEST_KEY=queue FORMAT=nullQueue [Drop_Kerberos] REGEX=(?msi)^TaskCategory[=:]Kerberos DEST_KEY=queue FORMAT=nullQueue
I checked by doing a
source=WinEventLog:Security TaskCategory=Kerberos* | eval raw=_raw | table raw
And fields are definitely delimited by =
Here's an example event:
08/09/11 12:09:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=XXXX.YYYY.ZZZZ TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=166028364 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: XXXX$ Supplied Realm Name: YYYY.ZZZZ User ID: S-1-5-21-9999999999-9999999999-9999999999-9999 Service Information: Service Name: krbtgt Service ID: S-1-5-21-9999999999-9999999999-9999999999-999 Network Information: Client Address: ::ffff:999.999.999.999 Client Port: 13340 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.
This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder