- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is multiline regex blacklisting all events for specifically 4656 only?
Hi All,
I cant seem to get this right.
I am trying to use regex to blacklist 4656 events where:
The account name ends in $
and
The object server is "PlugPlayManager"
Example of the Event:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=2616184651
Keywords=Audit Success
Message=A handle to an object was requested.
Subject:
Security ID: domain\computer
Account Name: Computer$
Account Domain: domain
Logon ID: 0x2xxxxx81e5
Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0
Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0
I have tested multiple Regex and they all seem to work in regex101but when I apply them, it instead blocks the entire EventCode.
Regex Example in windows_TA on UF
blacklist = EventCode="4656" Message="Account Name:.*?\$(?:[\S\s]*?)Object Server:.*?PlugPlayManager"
I have tried all manner of other combinations, all that work on regex101. And if I change the account name to not include the ending$ or if I change the "object server" it will not match (in regex101).
But for some reason, the blacklist entry ends up blocking ALL 4656 events instead of just those that match
Any help would be greatly appreciated, I do not want to have to block just based on one field in the log, I want to blacklist based on the username and object server.
Thanks in Advance
EDIT*:
I forgot to mention, each time I make the change and reload the Server Class, it does actually appear to work for about 3 minutes, then I get nothing. Is it the case where I need to wait for say 60minutes or so?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @geraldcontreras,
could you please try this regex
(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager
that you can test at https://regex101.com/r/qiR7FZ/1
so in your TA's stanza
blacklist = EventCode="4656" Message="(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager"
.
If this filter desn't run on TA, you can apply it on Indexers:
In props.conf, set the TRANSFORMS-null attribute:
[wineventlog://Security]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = (?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager
DEST_KEY = queue
FORMAT = nullQueue
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Routeandfilterdatad
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks for your advice.
This also ends up blacklisting all events rather then the matching regex.
I had tried many combinations previous to posting this question, all which also work in regex101 but fail in the splunk_TA_windows.
I have tried a very simple regex blacklist for event 4656 and that also has the same affect. So it appears to be something unique to this event for some reason (i am using regex successfully on other EventCodes such as 5156,4689,5145 and it is working as expected)
I will try using the props and transforms and see if that works.
Very strange that it appears to be unique (so far) to this one EventCode only
Ill let you know how i go.
thanks
Gerald
