Splunk Search

REGEX problem transforms.conf WinEventLog:Security

nrelihan
Explorer

Hey, Im having problems with my REGEX expression, Im trying to filter out the following

If an event has Type = Success Audit OR [Type = Information AND Keywords = Audit Success]

The below event should get filtered out:

**06/16/11 03:32:33 PMLogName=SecuritySourceName=Microsoft Windows security auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403184238
Show all 30 lines
host=DBPP-AD1-08 Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options| Keywords=Audit Success Options| Type=Information Options
**

transforms.conf

[nullFilter]

REGEX = (?m)^(Type= Success Audit) | (Type = information && Keywords = Success Audit)

DEST_KEY = queue

FORMAT = nullQueue

Thanks for the help!**

0 Karma

matthewhaswell
Path Finder

Try one at a time - then try and expand it, also I notice you have spaces in your regex?

If you need 2 then do something like this:
props.conf:
TRANSFORMS-set = setnullevents1,setnullevents2

and then transforms.conf:

[setnullevents1]
blah

[setnullevents2]
blah

From our working one to filter out specific hosts and events:

[setnullevents]
REGEX = (?ms)(EventCode=(17503|6105|6107|6106|6201)\D).*(ComputerName=(COMP-001|COMP-002|COMP-003))

DEST_KEY = queue

FORMAT = nullQueue

dshpritz
SplunkTrust
SplunkTrust

You may want to try:
REGEX = (?m)^(Type=Success\sAudit)|(Keywords=Audit\sSuccess.*Type=Information\sOptions)

dshpritz
SplunkTrust
SplunkTrust

Posted this yesterday, but it didn't seem to take. Based on the event shown in the email I got, here is another regex to try:
Type=Information\n(.*\n)+Keywords=Audit\sSuccess|Type=Success\sAudit

0 Karma

dshpritz
SplunkTrust
SplunkTrust

There was a comment which came through email, but not displayed here which showed the event data. Another regex to try:

Type=Information\n(.*\n)*Keywords=Audit\sSuccess|Type=Success\sAudit

0 Karma

nrelihan
Explorer

06/16/11 05:52:59 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=5145

EventType=0

Type=Information

ComputerName=DBPP-AD1-08.UOMS.IE

TaskCategory=Detailed File Share

OpCode=Info

RecordNumber=403262630

Keywords=Audit Success

Message=A network share object was checked to see whether client can be granted desired access.

0 Karma

nrelihan
Explorer

I tried putting in (.*) as you suggested so I can see the transform is working, as I see nothing coming in.
No the events arent displaying correctly here which is a bit annoying, it seems to ignore the line breaks. Ill try to print what its like on splunk web with spaces inbetween lines

0 Karma

dshpritz
SplunkTrust
SplunkTrust

You can change the regex to something which will always capture (like (.*)) to make sure Splunk is picking up the transform.

Also, is the event displaying correctly on the Answers site (with line breaks, etc)?

0 Karma

nrelihan
Explorer

I tried taking it out, but still nothing, everything seems to get though...

Its very strange, Here the directory I have the two files in.. any reason why you think its failing to capture?

uoms@DBPP-Splunk:/opt/splunk/etc/system/local$ ls -la

-rwxrwxr-x 1 splunk splunk 18665 2011-06-13 17:15 props.conf

-rwxrwxr-x 1 splunk splunk 10793 2011-06-16 17:35 transforms.conf

Thanks,

0 Karma

dshpritz
SplunkTrust
SplunkTrust

if you take out the "(?m)^" at the start of the regex, does that help?

0 Karma

nrelihan
Explorer

auditing.EventCode=5156EventType=0Type=InformationComputerName=DBPP-AD1-08.UOMS.IETaskCategory=Filtering Platform ConnectionOpCode=InfoRecordNumber=403243973Keywords=Audit SuccessMessage=The Windows Filtering Platform has permitted a connection.Application Information: Process ID: 780 Application Name: \device\harddiskvolume2\windows\system32\svchost.exeNetwork Information: Direction: Inbound Source Address: 10.10.10.1 Source Port: 135 Destination Address: 10.10.12.184 Destination Port: 2562 Protocol: 6Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

0 Karma

nrelihan
Explorer

Thanks dshpritz, but I still get all these types in new searches of sourcetype="WinEventLog:Security"
I restarted the splunk after editing the transforms.conf.
Here is my props.conf:

[source::WinEventLog:Security]

TRANSFORMS-nullQ= nullFilter

Iv added an event below that came in after the modification.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...