Solved: How to filter Windows Security Event Logs containi...

caroline_fortun · ‎07-02-2014

Hello everyone,

I´m trying to filter some Windows Security Event Logs that contains the machine name as the username.
To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local).

props.conf

[WinEventLog:Security]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.*
DEST_KEY = queue
FORMAT = nullQueue

Is there any errors at my regex? Do I have to do something else?
I already put the files at the indexer too but I am still getting events.

Best Regards,
Caroline Fortunato

Lowell · ‎07-02-2014

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

View solution in original post

Lowell · ‎07-02-2014

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

caroline_fortun · ‎07-03-2014

Hello Lowell,

I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder.
I put the files at the heavy forwarder machine and restarted Splunk and it worked.

Thanks for your help!

Regards,
Carol

Lowell · ‎07-02-2014

Yeah, sorry missed that comment at the end the first time I read through it. I'm looking closer at the regex now. It looks inefficient, but not sure if it's actually wrong. Without a sample event it's difficult to say for sure. Have you tested it using any tools like Regexbuddy, or Kodos? Oh, keep in mind that the blog post is only relevant for the most recent versions of Splunk.

caroline_fortun · ‎07-02-2014

I placed the files at the indexer too but it didn´t work. I´ll have a look at the post.

How to filter Windows Security Event Logs containing machine name as username?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!