I've spent the past couple of days trying to eliminate the message text from "this event is generated" until the end. I have seen numerous splunk answer pages, blogs, and configuration documentation that references to using a perl regex, suppress_text (this one eliminates all message text which includes the stuff I want), and props and transforms.
I have to be missing something basic because I have tried these clauses in numerous locations, but event 4624 still has 59 lines per entry. I get about 220K security messages per day and it takes up about 1.1 gb of my license (on a 172mb event log that rolls over less than twice per day but this is another issue).
1 Splunk Enterprise install - nix system
1 Domain controller 2008 with universal forwarder installed
I've tried the props entry regex:
[root:local]# pwd
/opt/splunk/etc/system/local
[root;local]# more props.conf
[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g
Also in [root:local]# pwd
/opt/splunk/etc/apps/Splunk_TA_windows/local
to enabled:
stop/start the splunk forwarder service on the Domain Controller.
I have also tried props and transforms:
Props
###### Windows Security Event Log ######
[source::*:Security]
#CMZ adds
#SEDCMD-shortern4624 = SEDCMD-shortern4624 = s/(?mis)(.*EventCode=4624.*)This event is generated when a logon session.*$/\1/g
TRANSFORM-windows_events = win_event_shortener
transforms
#Added by CMZ
#[shorten4624]
#REGEX = (?ms)(.*EventCode=4624.*)This event is generated when a logon session
#DEST_KEY = _raw
#FORMAT = $1
[win_event_shortener]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated)
FORMAT = $1
un-remarking as needed of course
Are these supposed to go in the app local directory like Splunk_TA_windows or the system/local folder?
I know about this:
Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order:
1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority
But I don't understand why this is being captured.
... View more