Getting Data In

building a search on windows event security logs

udiggity
New Member

I'm trying to build a search on windows event logs, that will exclude activity by the real time antivirus scanner and return a list of users in order of amount of data accessed... Not sure if this is possible. Below is the line I'd like to filter on as that is the av program. Can anyone point me in the right direction... Should point out that I am very new to Splunk and don't know much about the build in searching tools (reading doc now)

Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe

0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

Looking high level, you have two different options. If your logs are absolutely filled with those entries, you can filter them out altogether so that they won't be in Splunk. How to do that is dependent on how you are getting the event log data into Splunk (e.g., WMI, Lasso, etc.). Answers.splunk.com and Splunk Documentation is filled with questions about how to do that, but here's a couple that might be useful:

A simpler approach, though, would be to just exclude it from your search. For example, if a search for Windows Security Event Logs is sourcetype=windows_security you could run:

sourcetype=windows_security NOT "Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe"

That will leave you with the security event log information, excluding the AV activity. Apart from cleanliness and speed, the big advantage of the first approach is that it won't count against your quota.

Hopefully that answers your question.

View solution in original post

0 Karma

David
Splunk Employee
Splunk Employee

Looking high level, you have two different options. If your logs are absolutely filled with those entries, you can filter them out altogether so that they won't be in Splunk. How to do that is dependent on how you are getting the event log data into Splunk (e.g., WMI, Lasso, etc.). Answers.splunk.com and Splunk Documentation is filled with questions about how to do that, but here's a couple that might be useful:

A simpler approach, though, would be to just exclude it from your search. For example, if a search for Windows Security Event Logs is sourcetype=windows_security you could run:

sourcetype=windows_security NOT "Image File Name: E:\Program Files\CA\eTrustITM\InoRT.exe"

That will leave you with the security event log information, excluding the AV activity. Apart from cleanliness and speed, the big advantage of the first approach is that it won't count against your quota.

Hopefully that answers your question.

0 Karma

udiggity
New Member

Thanks, that regex string did it! I really appreciate the help.

0 Karma

udiggity
New Member

Thank you very much, I am trying that now! I appreciate the help, my regex looked nothing like that...

0 Karma

David
Splunk Employee
Splunk Employee

Ah, yeah. That does sound like a regex issue, if you're able to filter out other events from the source. I'd go with the regex:
Image File Name: .*?InoRT.exe
myself. That should match InoRT.exe anywhere in the event, which I'd guess is good enough for your needs. You should be able to use the full string, but you'll likely need to escape the slashes. I haven't done event filtering myself, but I would expect that you would need to replace every \ with \.

0 Karma

udiggity
New Member

Thank you I'll try this, Yeah I tried filtering it in the props and transforms files but couldn't get the regex to work right. I am filtering on multiple system accounts succesfully at the moment so I'm fairly certain it is just a matter of getting the proper regex string. I am using WMI to get the EV logs from my windows servers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...