Splunk Search
Highlighted

Why can't I filter out Kerberos events from my Windows event logs?

Communicator

I want to filter out Windows security events whose TaskCategory begins with "Kerberos".

props.conf

[source::WinEventLog:Security]
TRANSFORMS-Drop_TaskCategory = Drop_Kerberos, Drop_FilteringPlatform

transforms.conf

[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\sPlatform
DEST_KEY=queue
FORMAT=nullQueue

[Drop_Kerberos]
REGEX=(?msi)^TaskCategory=Kerberos
DEST_KEY=queue
FORMAT=nullQueue

The Filtering Platform... events are filtered out but the Kerberos... events are not.

Anyone with Windows 2008 servers can get plenty of examples from the Splunk query:

TaskCategory="Filtering Platform*" OR TaskCategory="Kerberos*"
0 Karma
Highlighted

Re: Why can't I filter out Kerberos events from my Windows event logs?

Splunk Employee
Splunk Employee

I think that the fields in the raw text of the event are delimted by : rather than =. I don't have access to events from a windows machine (so not 100% sure) - it would be great if you posted a sample event that you're trying to filter out though

If the fields are delimted by : then the following would do what you want

[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory[=:]Filtering\\sPlatform
DEST_KEY=queue
FORMAT=nullQueue

[Drop_Kerberos]
REGEX=(?msi)^TaskCategory[=:]Kerberos
DEST_KEY=queue
FORMAT=nullQueue
0 Karma
Highlighted

Re: Why can't I filter out Kerberos events from my Windows event logs?

Communicator

I checked by doing a

source=WinEventLog:Security TaskCategory=Kerberos* | eval raw=_raw | table raw

And fields are definitely delimited by =

0 Karma
Highlighted

Re: Why can't I filter out Kerberos events from my Windows event logs?

Communicator

Here's an example event:

08/09/11 12:09:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=XXXX.YYYY.ZZZZ
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=166028364
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:       XXXX$
    Supplied Realm Name:    YYYY.ZZZZ
    User ID:            S-1-5-21-9999999999-9999999999-9999999999-9999

Service Information:
    Service Name:       krbtgt
    Service ID:     S-1-5-21-9999999999-9999999999-9999999999-999

Network Information:
    Client Address:     ::ffff:999.999.999.999
    Client Port:        13340

Additional Information:
    Ticket Options:     0x40810010
    Result Code:        0x0
    Ticket Encryption Type: 0x17
    Pre-Authentication Type:    2

Certificate Information:
    Certificate Issuer Name:        
    Certificate Serial Number:  
    Certificate Thumbprint:     

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
0 Karma
Highlighted

Re: Why can't I filter out Kerberos events from my Windows event logs?

Communicator

Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.

This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder

View solution in original post

0 Karma