Splunk Enterprise

Not working SEDCMD. Props.conf. help

gitingua
Communicator

Not working SEDCMD in my props.conf

 

/opt/splunk/etc/system/local/props.conf

 

[ActiveDirectory]

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd\s*=)\s*.*/ms-Mcs-AdmPwd=*******/ 

 

I checked it on regex101.com everything works. 

gitingua_0-1637233486910.png

 

 

wrote a line in props.conf and reloaded splunk. but still hides nothing

0 Karma
1 Solution

gitingua
Communicator

You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “ActiveDirectory”. This means, as the data is streaming into Splunk and before it ends up on disk “indexed”, it will be anonymised. To do this we utilise the Splunk “SEDCMD”. This is much like the sed command you would find on a *nix based system. Ideally the props.conf file should be placed on a Splunk Heavy Forwarder on it’s path towards the Indexer, you could place this configuration on an indexer, but to avoid potential performance issues try use a Splunk Heavy Forwarder.

 deploy-server vim /opt/splunk/etc/deployment-apps/Splunk_TA_windows

# props.conf on a HF. 
[ActiveDirectory]
SEDCMD-anonymiseLaps = s/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g

save 

 

deploy-server$ /opt/splunk/bin/splunk reload deploy-server

 

 

 

View solution in original post

0 Karma

gitingua
Communicator

You can deploy a props.conf configuration utilising “SEDCMD” and have it apply to the sourcetype “ActiveDirectory”. This means, as the data is streaming into Splunk and before it ends up on disk “indexed”, it will be anonymised. To do this we utilise the Splunk “SEDCMD”. This is much like the sed command you would find on a *nix based system. Ideally the props.conf file should be placed on a Splunk Heavy Forwarder on it’s path towards the Indexer, you could place this configuration on an indexer, but to avoid potential performance issues try use a Splunk Heavy Forwarder.

 deploy-server vim /opt/splunk/etc/deployment-apps/Splunk_TA_windows

# props.conf on a HF. 
[ActiveDirectory]
SEDCMD-anonymiseLaps = s/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g

save 

 

deploy-server$ /opt/splunk/bin/splunk reload deploy-server

 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help to see a full event as it appears as though the current SEDCMD will replace everything that follows "ms-Mcs-AdmPwd=", not just the password.  Please post the event as text rather than a screenshot so we can test with it.

Recall that changes to SEDCMD affect only new data and not data that is already indexed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway I know what's new. new events do not change

ms-Mcs-AdmPwd=a01LePq5

exactly what is needed. or the desired complete

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this regex.

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g
---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

not working 

i changed and rebooted at 18:52. at 18:55 the event came as before

gitingua_0-1637251211464.jpeg

 

props.conf 

[ActiveDirectory]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*)

EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?<guid_lookup>[\w\-]+)

EXTRACT-SID = objectSid\s*=\s*(?<sid_lookup>\S+)

SEDCMD-mask_ms_pwd = s/(ms-Mcs-AdmPwd)=(.*)/\1=******/g

 

Maybe something from the other lines bothers him?

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Would you mind sharing the raw event?  That is what SEDCMD sees so it's what we should be working with.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway 

 

no access to raw data. but I found a question similar to mine. and there are sources where they show an example. I drove them but also unsuccessfully

https://community.splunk.com/t5/Getting-Data-In/ms-Mcs-AdmPwd-Plaintext-in-Splunk/td-p/562704

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Where are you putting the props.conf file?  It must be on the indexers and, if you have them, heavy forwarders.  The instances must be restarted after making changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

@richgalloway 

 

i solved this problem

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share how you solved the problem so others might benefit from your experience.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gitingua
Communicator

indexer 

/opt/splunk/etc/system/local/props.conf 

Yes. I restarted every time I changed there

 @richgalloway 

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...