Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

remove events from Windows security

Esky73
Builder
‎06-03-2017 08:35 AM

Receiving windows security logs from UF's

I have a created an app on my HF and put transforms and props in the local folder as such:

[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db

[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue

However i'm still seeing windows eventlogs coming through to my splunk instance like the following:

D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Tags (1)
0 Karma
Reply

tlam_splunk
Splunk Employee
Splunk Employee
‎06-05-2017 08:53 PM

Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 08:52 AM

Try this:

[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue

Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).

0 Karma
Reply

Esky73
Builder
‎06-03-2017 04:22 PM

so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 04:38 PM

Yes, it will work for HF; I should have written your parsing servers instead of Indexers.

0 Karma
Reply

Esky73
Builder
‎06-03-2017 05:41 PM

applied to the HF and restarted HF still events being seen.

Also added:

[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue

which looks right (In regex101.com)

however also doesnt stop the events

props and transforms are located in :

C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local

0 Karma
Reply

Esky73
Builder
‎06-04-2017 06:24 PM

I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..

Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...