I'm running Splunk 5.0 build 140868 on a Windows 2008 R2 server. I'm trying to Audit file and folder deletes on this server, but the appropriate way to do this is to log for everyone. My Splunk service account, splunkrdba, makes changes to it's logs constantly, so I want to send these events to the null queue, but I'm having issues with the Regex. Below see my most recent props.conf, transforms.conf, and a sample log that I'm trying to prevent.
Props.conf
[WinEventLog:Security]
TRANSFORMS-wmi= wminull
Transforms.conf
[wminull]
REGEX = (?msi)^Accoung_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue
02/08/2013 09:32:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName= X
TaskCategory=File System
OpCode=Info
RecordNumber=3184693
Keywords=Audit Success
Message=An object was deleted.
Subject:
Security ID: RDBA\splunkrdba
Account Name: splunkrdba
Account Domain: RDBA
Logon ID: 0xb8bbf7
Object:
Object Server: Security
Handle ID: 0x64
Process Information:
Process ID: 0x1b00
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}
Collapse back to 10 lines
host=RDBALOG-002 Options|
sourcetype=WinEventLog:Security Options|
source=WinEventLog:Security Options
... View more