Receiving windows security logs from UF's
I have a created an app on my HF and put transforms and props in the local folder as such:
[WinEventLog:Security] TRANSFORMS-setNull8 = NukeThumbs.db [NukeThumbs.db] REGEX = (?s).*Thumbs.db(?s).* DEST_KEY = queue FORMAT = nullQueue
However i'm still seeing windows eventlogs coming through to my splunk instance like the following:
D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
[NukeThumbs.db] REGEX = \\Thumbs\.db(?:[\r\n]+|$) DEST_KEY = queue FORMAT = nullQueue
Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like
_index_earliest=-2m or similar); older events will stay broken (not deleted).
applied to the HF and restarted HF still events being seen.
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue
which looks right (In regex101.com)
however also doesnt stop the events
props and transforms are located in :
I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..
Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.