Activity Feed
- Karma Re: How to filter inputs.conf whitelist content for Windows event logs? for ryanoconnor. 06-05-2020 12:48 AM
- Posted Re: Problem with Windows Security logs field extractor on Splunk Search. 06-28-2016 11:40 PM
- Posted Re: Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-27-2016 01:10 AM
- Posted Re: Problem with Windows Security logs field extractor on Splunk Search. 06-26-2016 11:37 PM
- Posted Re: Problem with Windows Security logs field extractor on Splunk Search. 06-24-2016 12:00 AM
- Posted Problem with Windows Security logs field extractor on Splunk Search. 06-23-2016 06:46 AM
- Tagged Problem with Windows Security logs field extractor on Splunk Search. 06-23-2016 06:46 AM
- Tagged Problem with Windows Security logs field extractor on Splunk Search. 06-23-2016 06:46 AM
- Posted Re: Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-22-2016 12:02 AM
- Posted Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-21-2016 06:54 AM
- Tagged Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-21-2016 06:54 AM
- Tagged Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-21-2016 06:54 AM
- Tagged Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-21-2016 06:54 AM
- Tagged Why is my REGEX in transforms.conf not working to filter data to nullQueue? on Splunk Search. 06-21-2016 06:54 AM
- Posted Re: How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-17-2016 02:01 AM
- Posted Re: How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-16-2016 08:55 AM
- Posted How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-16-2016 03:21 AM
- Tagged How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-16-2016 03:21 AM
- Tagged How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-16-2016 03:21 AM
- Tagged How to filter inputs.conf whitelist content for Windows event logs? on Getting Data In. 06-16-2016 03:21 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 |
06-28-2016
11:40 PM
It don't seem to work :(. The mystery is still running.
... View more
06-27-2016
01:10 AM
Mhh this time I'm sure your regex is correct, good job.
However, it still doesn't work and I think there is something tricky I don't see in my files.
Since ObjectName is not directly a field of the log (I mean it is just displayed as a part of the message field), maybe there is a problem :(.
... View more
06-26-2016
11:37 PM
It seems that doesn't work. I have tried modifying a little the expression, since the exact format is :
...
Informations sur la demande d’accès :
(1tab)Masque d’accès :(1tab)0x100081
(1tabs)Accès :(1space)(1tab)SYNCHRONIZE
(4tabs)Lecture données (ou liste de répertoire)
(4tabs)ReadAttributes
...
with tabulations, but without success.
... View more
06-24-2016
12:00 AM
Thank's for your reply.
How can I manage the fact there is not always the same number or field? In my example there are 3 lines, but I have to manage other logs with more or less values.
Sometimes there are 5 fields, sometimes 1.
The only indicator is the blank line (\n\n or maybe \r\n\r\n) after the Access field.
... View more
06-23-2016
06:46 AM
Hi guys,
I'm auditing a file server of my domain (access, read, write...) with Windows event logs and Splunk, and it is rather functional.
However I have a problem with the "intelligent file extraction".
A standard collected security log has the following structure:
06/23/2016 03:08:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=
TaskCategory=Partage de fichiers détaillé
OpCode=Informations
RecordNumber=20907498
Keywords=Succès de l’audit
Message=Un objet du partage réseau a été vérifié afin de savoir si l’accès souhaité peut être accordé au client.
Sujet :
ID de sécurité : ...
Nom du compte : Someone
Domaine du compte : ...
ID d’ouverture de session : ...
Informations sur le réseau :
Type d’objet : File
Adresse source : ...
Port source : ...
Informations de partage :
Nom de partage : ...
Chemin d’accès du partage : ...
Nom cible relatif : ...
Informations sur la demande d’accès :
Masque d’accès : ...
Accès : SYNCHRONIZE
Lecture données (ou liste de répertoire)
ReadAttributes
Résultat de la vérification d’accès :
SYNCHRONIZE: Accordé par D:(A;;FA;;;WD)
Lecture données (ou liste de répertoire): Accordé par D:(A;;FA;;;WD)
ReadAttributes: Accordé par D:(A;;FA;;;WD)
Here we have the "Accès" (access) field which have 3 values (it could be more, it depends of the user action on the file), a set of value corresponding to the real action of the user (write, save, read...).
My problem is the intelligent field extractor just consider Access is the first value, other values are considered as proper fields, since Windows Logs don't always use the same pattern...
I tried to manually extract fields, with the native Splunk functionnality or with the Field Extractor App. I don't know if my log is too long, but it is truncated after "ID de Sécurité" (Security ID).
Do you know how to do?
... View more
06-22-2016
12:02 AM
No that was not exactly what I meant, sorry for my bad english.
Actually I want the string match with the EventID and with " Nom de l’objet : " but NOT with the ObjectName ie the filename (ie the file is not in C:\epic).
This regex doesn't work since it matchs pretty anything on the folder name.
About this, it is possible to define a configuration that match the ObjectName to send ONLY the matching logs instead of dropping logs which don't match through nullQueue?
... View more
06-21-2016
06:54 AM
Hi,
I want to filter Windows Security event logs in (/etc/system/local/)props.conf/transforms.conf.
Here is my transforms.conf file:
[FilterEventWindows]
REGEX=(?is)^.*EventCode=(5145|4656).*(Nom de l’objet :\t\t(?!C:\\epic\\*))(.*)$
DEST_KEY = queue
FORMAT = nullQueue
ie I only want events 5145|4656 with the ObjectName (of the filesystem) in C:\epic.
A standard log looks like this:
06/21/2016 02:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=
TaskCategory=Système de fichiers
OpCode=Informations
RecordNumber=1764752
Keywords=Succès de l’audit
Message=Un handle vers un objet a été demandé.
Sujet :
ID de sécurité : TEST\Administrateur
Nom du compte : Administrateur
Domaine du compte : TEST
ID d’ouverture de session 0x1C307
Objet :
Serveur de l’objet : Security
Type d’objet : File
Nom de l’objet : C:\Users\Administrateur\Documents
ID du handle : 0x18b0
Attributs de ressource : -
Informations sur le processus :
ID du processus : 0x7d4
Nom du processus : C:\Windows\explorer.exe
After testing it on a (PHP) regex tester, it seems it should work...
Obviously the problem is not fixed.
I tried many things around this syntax, like deleting/adding ^ and $ , starting without .* , specifying (?s)(?i) or (?si) ... I tested this regex with /gsi, /si is right too, but I keep receiving events of other folders.
I tried Nom de l’objet :\t\t(?!C:\\epic\\* since I can filter eventsID with whitelist, but it is wrong too.
My props.conf file is simply
[WinEventLog:Security]
TRANSFORMS-FilterEvent = FilterEventWindows
Am I missing something?
... View more
06-17-2016
02:01 AM
Hi,
Finally, custom view configuration is rather limited and I'm not even sure I can do what I want, ie filtering ObjectName field.
So I have just followed your advice on Splunk with transforms.conf and props.conf configuration.
Even if I thought that was the "dirty way", after filtering "Object Name C:*" (even C:\Windows should be almost perfect) I don't receive any logs from the chatty Windows.
If you want to do the same, honestly, don't lose your time searching weird Windows configuration and just filter any chatty folder.
It is finally quite easy and powerful.
Thank's for all
... View more
06-16-2016
08:55 AM
Thank's for your reply.
Actually, my idea was to include only the events which concern this folder, with no restriction about the type of events (read, modification attempt, deletion ...).
There is no specific format for stored files, the only condition is the path "C:\Myfolder*" (or C:\Myfolder*).
Is it possible to exclude a drive?
This way I could just set my folder as a shared network drive (and exclude any other drive).
You're right about the OS configuration, I have started configuring Windows logs with the Advanced XML Filtering, it is a bit tedious but this should work.
About that, do you know if it possible to forward Windows logs of a customised View, which filters logs, in the same way than ordinary logs (I mean [Winevent://MyView] in inputs.conf for example).
... View more
06-16-2016
03:21 AM
Hello,
I configured an audit on a folder on Windows. Now I want to send it to my Splunk Server, but there are many file audits configured by the system itself (file access in System32...) and I'm not interested by these logs.
So I need more than the eventID filter on the whitelist option of inputs.conf
How can I do that, for example by checking the content of the log and only send it if it contains C:\MyFolder?
Thank's
... View more