Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a universal forwarder to filter the Message Field from Windows Security Logs - Splunk 6

apchristie
Explorer
‎03-24-2014 02:17 PM

Hello,

We are trying to cut the message field out of all of the Windows Security Logs coming from our domain controllers. I have tried looking though some of the other answer posts and I have tried using this article where you put 

[WinEventLog:Security] 

disabled = 0

suppress_text = 1

However I am not sure exactly what that references to remove data from the log. I know older answers said you could use a regex on the props.conf and transforms.conf file but I wasn't sure if that was still the best way for Splunk 6.

All that said to really say could anyone help with removing the Message text from Windows Security Logs. Thanks in advance!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkuk
Path Finder
‎03-25-2014 11:37 AM

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do: 

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like: 

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

View solution in original post

Reply
Solved! Jump to solution
Solution

dkuk
Path Finder
‎03-25-2014 11:37 AM

According to <splunk_home>\etc\system\README\inputs.conf.spec as below, the change you mention should remove the event description/text as you are trying to do: 

[WinEventLog://<name>]

suppress_text = [0|1]
* Tells Splunk whether or not to include the description of the event text for a given 
  Event Log event.
* Optional. This parameter can be left empty.
* A value of 1 suppresses the inclusion of the event text description.
* A value of 0 includes the event text description.
* If no value is present, defaults to 0.

So your inputs.conf entry should look like: 

[WinEventLog://Security]
disabled = 0
suppress_text = 1

This is what you have tried right?

If it's not working then double check that your config is going to be active by using the btool command from <splunk_home>\bin folder:

splunk cmd btool inputs list --debug
and check that the block for WinEventLog://Security has the surpress_text value set to 1. Also ensure you restart splunk after the config change.

By the way this README folder where the above is located is extremely useful for looking at what parameters are available to you for each config file - there's a .spec and .example file for each config file you might use in Splunk.

Personally I've had mixed success with the Windows event log filtering built into v6. Filtering out event IDs in the input hasn't always completely filtered the event. Perhaps there are some nuances with the filter that I'm not aware of. When I wanted to filter out certain event IDs I ended up implementing nullQueue filtering using props and transforms.

Reply
Solved! Jump to solution

dkuk
Path Finder
‎03-25-2014 02:14 PM

No worries glad to have helped.

0 Karma
Reply
Solved! Jump to solution

apchristie
Explorer
‎03-25-2014 01:41 PM

Thank you. The issue was we had not put the entry in the correct inputs.conf file.

Thank you for the help it was easy to spot with that command.

0 Karma
Reply
Solved! Jump to solution

apchristie
Explorer
‎03-24-2014 02:27 PM

The quoted text was added to the inputs.conf file. Sorry didn't say that in the original.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...