Solved: Why can't I filter out Kerberos events from my Win...

gpullis · ‎08-05-2011

I want to filter out Windows security events whose TaskCategory begins with "Kerberos".

props.conf

[source::WinEventLog:Security]
TRANSFORMS-Drop_TaskCategory = Drop_Kerberos, Drop_FilteringPlatform

transforms.conf

[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\sPlatform
DEST_KEY=queue
FORMAT=nullQueue

[Drop_Kerberos]
REGEX=(?msi)^TaskCategory=Kerberos
DEST_KEY=queue
FORMAT=nullQueue

The Filtering Platform... events are filtered out but the Kerberos... events are not.

Anyone with Windows 2008 servers can get plenty of examples from the Splunk query:

TaskCategory="Filtering Platform*" OR TaskCategory="Kerberos*"

gpullis · ‎08-09-2011

Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.

This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder

View solution in original post

gpullis · ‎08-09-2011

Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.

This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder

gpullis · ‎08-09-2011

Here's an example event:

08/09/11 12:09:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=XXXX.YYYY.ZZZZ
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=166028364
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:       XXXX$
    Supplied Realm Name:    YYYY.ZZZZ
    User ID:            S-1-5-21-9999999999-9999999999-9999999999-9999

Service Information:
    Service Name:       krbtgt
    Service ID:     S-1-5-21-9999999999-9999999999-9999999999-999

Network Information:
    Client Address:     ::ffff:999.999.999.999
    Client Port:        13340

Additional Information:
    Ticket Options:     0x40810010
    Result Code:        0x0
    Ticket Encryption Type: 0x17
    Pre-Authentication Type:    2

Certificate Information:
    Certificate Issuer Name:        
    Certificate Serial Number:  
    Certificate Thumbprint:     

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Ledion_Bitincka · ‎08-05-2011

I think that the fields in the raw text of the event are delimted by : rather than =. I don't have access to events from a windows machine (so not 100% sure) - it would be great if you posted a sample event that you're trying to filter out though

If the fields are delimted by : then the following would do what you want

[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory[=:]Filtering\\sPlatform
DEST_KEY=queue
FORMAT=nullQueue

[Drop_Kerberos]
REGEX=(?msi)^TaskCategory[=:]Kerberos
DEST_KEY=queue
FORMAT=nullQueue

gpullis · ‎08-09-2011

I checked by doing a

source=WinEventLog:Security TaskCategory=Kerberos* | eval raw=_raw | table raw

And fields are definitely delimited by =

Why can't I filter out Kerberos events from my Windows event logs?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!