Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- remove events from Windows security
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
remove events from Windows security
Receiving windows security logs from UF's
I have a created an app on my HF and put transforms and props in the local folder as such:
[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db
[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue
However i'm still seeing windows eventlogs coming through to my splunk instance like the following:
D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue
Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it will work for HF; I should have written your parsing servers instead of Indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
applied to the HF and restarted HF still events being seen.
Also added:
[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue
which looks right (In regex101.com)
however also doesnt stop the events
props and transforms are located in :
C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..
Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
