Splunk Search

REGEX to filter out event records

aportela
New Member

At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3.

Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?

props.conf entry:

[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3

transforms.conf entry:

[Remove_Logon_Type_3]
REGEX=(?msi).*Logon Type:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue

Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type".

09/04/2013 06:18:26 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=SNODEV106
User=polypaths
Sid=S-1-5-21-1971354296-1767978563-709122288-167354
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3049159
Message=User Logoff:
        User Name:  polypaths
        Domain:     CGUSER
        Logon ID:   (0x0,0x644269C)
        Logon Type: 3

Please advise.
Thanks… Al

Tags (1)
0 Karma

kalianov
Path Finder

I use a blacklist stanza in the
inputs.conf file on UniversalForwarder
blacklist1 = Message=".*Logon\sType:\s*3\D"

0 Karma

lukejadamec
Super Champion

Hello,
Yes, there is a way to test regex in a search. Use |regex _raw= as in the following.

index=main sourcetype="*security*" EventCode=538 |regex _raw=(?m).*Logon\sType:\s+3.*

I tested it and it worked. Try it in your transforms.conf.

0 Karma

lukejadamec
Super Champion

From what I understand, you have to discard everything before you keep something, or you have to keep everything before you discard something.

It would be the backwards version of this answer:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-un...

props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=KeepLogs,Remove_Logon_Type_3

transform.conf

[KeepLogs]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue

[Remove_Logon_Type_3]
REGEX=(?msi).LogonsType:s3D
DEST_KEY=queue
FORMAT=nullQueue

I'll test this in the morning.

0 Karma

aportela_work
Explorer

Belated thanks for your response, which did help us test regex from "Splunk Search". We were able to tweak as follows and successfully tested in our env: REGEX=_raw=(?msi).*Logon\sType:\s*3\D
.
However, we were still having issues with the actual regex configuration, where had done the following on the the heavy forwarder, but still could not filter out events.
props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3

transform.conf

[Remove_Logon_Type_3]
REGEX=(?msi).*Logon\sType:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue

Please let me know if any of the config info looks out of palce. And, feel free to post and additional comments, ideas, etc. Thanks again... Al

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...