Solved: Event filtering is not working as expected... what...

cmlombardo · ‎02-13-2015

I am pulling my hair off on this one.
I am trying to remove from the windows firewall logs all the IPv6 link local and IPv4 multicast events.
Here are my props and transforms files:

PROPS.CONF

[Windows_Firewall]

TRANSFORMS-7_FilterUselessAddresses = filter_lladdresses, filter_multicast
TRANSFORMS-8_AssignToIndex = windowsfirewall_setindex_default

TRANSFORMS.CONF
[filter_lladdresses]
REGEX = (?i)^(?!.*fe80::).*$
FORMAT = sourcetype::Windows_Firewall
DEST_KEY = MetaData:Sourcetype

[filter_multicast]
REGEX = (?i)^(?!.*224\.0\.0\.).*$
FORMAT = sourcetype::Windows_Firewall
DEST_KEY = MetaData:Sourcetype


[windowsfirewall_setindex_default]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::Windows_Firewall
DEST_KEY = _MetaData:Index
FORMAT = wf_i

For some reasons which I can't figure out, these events are NOT filtered out.

I need another set of eyes to see what is wrong...

Thank you!

Claudio

cmlombardo · ‎02-13-2015

I solved my problem.

I changed transforms.conf this way:

[filter_lladdresses]
REGEX = (?i)^(?=.*fe80::).*$
DEST_KEY = queue
FORMAT = nullQueue

#Removes multicast traffic (224.0.0) stuff.
[filter_multicast]
REGEX = (?i)^(?=.*224\.0\.0\.).*$
DEST_KEY = queue
FORMAT = nullQueue

Now it works just fine.

View solution in original post

cmlombardo · ‎02-13-2015

I solved my problem.

I changed transforms.conf this way:

[filter_lladdresses]
REGEX = (?i)^(?=.*fe80::).*$
DEST_KEY = queue
FORMAT = nullQueue

#Removes multicast traffic (224.0.0) stuff.
[filter_multicast]
REGEX = (?i)^(?=.*224\.0\.0\.).*$
DEST_KEY = queue
FORMAT = nullQueue

Now it works just fine.

Event filtering is not working as expected... what's missing?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!