Splunk Dev

remove events from Windows security

Esky73
Builder

Receiving windows security logs from UF's

I have a created an app on my HF and put transforms and props in the local folder as such:

[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db

[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue

However i'm still seeing windows eventlogs coming through to my splunk instance like the following:

D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Tags (1)
0 Karma

tlam_splunk
Splunk Employee
Splunk Employee

Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).

0 Karma

woodcock
Esteemed Legend

Try this:

[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue

Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).

0 Karma

Esky73
Builder

so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.

0 Karma

woodcock
Esteemed Legend

Yes, it will work for HF; I should have written your parsing servers instead of Indexers.

0 Karma

Esky73
Builder

applied to the HF and restarted HF still events being seen.

Also added:

[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue

which looks right (In regex101.com)

however also doesnt stop the events

props and transforms are located in :

C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local

0 Karma

Esky73
Builder

I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..

Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.

0 Karma
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...