Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Drop Windows Event Logs with EventID 5156 and not ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drop Windows Event Logs with EventID 5156 and not RFC 1918
rtalcik
Path Finder
10-22-2021
09:17 AM
HI All,
So i wrote this in attempt to reject all RFC1918 TO RFC1918 logs for windows event logs with WID 5156. basically log anything external but not internal to internal communication. The sample log is a sniplet of what i am trying to drop.
Props.conf
[WinEventLog:Security]
TRANSFORMS-sec = WinEventCode5156Drop,WinEventCodeSecDrop,WinEventCodeSecPass
Transforms.conf (Is order of operations my issue here?)
[WinEventCode5156Drop]
REGEX=((EventCode(?:\S+)5156)[\s\S]*(((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.))|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168))[\s\S]*((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168)))
DEST_KEY = queue
FORMAT = nullQueue
[WinEventCodeSecDrop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[WinEventCodeSecPass]
REGEX=(?:^EventCode=|<EventID>)(4618|4649|4719|4765|4766|4794|4897|4964|5124|550|1102|4621|4675|4692|4693|4706|4713|4714|4715|4716|4724|4727|4735|4737|4739|4754|4755|4764|4764|480|4816|4865|4866|4867|4868|4870|4882|4885|4890|4892|4896|4906|4907|4908|4912|4960|4961|4962|4963|4965|4976|4977|4978|4983|4984|5027|5028|5029|5030|5035|5037|5038|5120|5121|5122|5123|5376|5377|5453|5480|5483|5484|5485|6145|6273|6274|6275|6276|6277|6278|6279|6280|640|619|24586|24592|24593|2454|4608|4609|4610|4611|4612|4614|4615|4616|4622|4624|4625|4634|4646|4647|4648|4650|4651|4652|4653|4654|4655|4656|4657|4658|4659|4660|4661|4662|4663|4664|4665|4666|4667|4668|4670|4671|4672|4673|4674|4688|4689|4690|4691|4694|4695|4696|4697|4698|4699|4700|4701|4702|4704|4705|4707|4709|4710|4711|712|4717|4718|4720|4722|4723|4725|4726|4728|4729|4730|4731|4732|4733|4734|4738|4740|4741|4742|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|473|4756|4757|4758|4759|4760|4761|4762|4767|4768|4769|4770|4771|4772|4774|4775|4776|4777|4778|4779|4781|4782|4783|4784|4785|4786|4787|4788|4789|4790|4793|4800|4801|4802|4803|4864|4869|4871|4872|4873|4874|4875|4876|4877|4878|4879|4880|4881|4883|4884|4886|4887|4888|4889|4891|4893|4894|4895|4898|902|4904|4905|4909|4910|4928|4929|4930|4931|4932|4933|4934|4935|4936|4937|4944|4945|4946|4947|4948|4949|4950|4951|4952|4953|4954|4956|4957|4958|499|4980|4981|4982|4985|5024|5025|5031|5032|5033|5034|5039|5040|5041|5042|5043|5044|5045|5046|5047|5048|5050|5051|5056|5057|5058|5059|5060|5061|5062|5063|5064|5065|5066|5067|5068|5069|5070|5125|5126|5127|5136|5137|5138|5139|5140|5141|5152|5153|5154|5155|5156|5157|5158|5159|5378|5440|5441|5442|443|5444|5446|5447|5448|5449|5450|5451|5452|5456|5457|5458|5459|5460|5461|5462|5463|5464|5465|5466|5467|5468|5471|5472|5473|5474|5477|5479|5632|5633|5712|5888|5889|5890|608|6144|6272|561|563|625|613|614|615|616|24577|24578|24579|24580|24581|24582|24583|24584|24588|24595|24621|5049|5478)
DEST_KEY = queue
FORMAT = indexQueue
I can't figure out why this isn't working.
Sample Log
10/21/2021 10:06:05 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName= (REDACTED BY ME THE POSTER)
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=7865970185
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1548
Application Name: \device\harddiskvolume4\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.10.211.7
Source Port: 53
Destination Address: 10.1.0.0
Destination Port: 57834
Protocol: 17
Filter Information:
Filter Run-Time ID: 90427
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Get Updates on the Splunk Community!
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Your Guide to SPL2 at .conf24!
So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...
