Getting Data In

How to configure a heavy forwarder to filter out the ending string from Windows security event logs?

kalianov
Path Finder

Hello guys

I'm trying to drop the end of all Security events:

This event is generated when a logon session is created. It is generated on the computer that was accessed.
....

My conf files on Heavy Forwarder is:

transforms.conf

[win-event-cut-en]
DEST_KEY = _raw
REGEX = ((.*+[\v])+)(?=This event is generated when)
FORMAT = $1

props.conf

[WinEventLog:Security]
TRANSFORMS-windows_events =win-event-cut-en

However, this does not work.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

View solution in original post

javiergn
SplunkTrust
SplunkTrust

The syntax looks correct so just three questions:

  • Have you restarted your Heavy Forwarder after making those changes?
  • Where exactly did you configure those lines? Was it under system/local? Was it somewhere else?
  • How many hops are there between your event log collection and your heavy forwarder and what type (universal or heavy forwarders? something else?) ?

Alternatively try the following SEDCMD line in your system/local/props.conf:

[source::WinEventLog:Security]
SEDCMD-win = s/(?mis)(Token Elevation Type indicates|This event is generated).*$//g

Source:

https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

kalianov
Path Finder

Your variant with SEDCMD works good
Thanks a lot!

0 Karma

javiergn
SplunkTrust
SplunkTrust

No worries.
If I were you I would still try to debug what's going on with the props and transforms alternative as I couldn't see anything wrong with it. Keep in mind you might want to use this syntax in future for a different use case.

0 Karma

kalianov
Path Finder

1 Yes, I have restarted my HF
2 My conf files is in SPLUNk_HOME$system/local
3 My configuration is very simple
UF->HF->INDEXER

What is the difference between
[source::WinEventLog:Security]
[WinEventLog:Security]

0 Karma

javiergn
SplunkTrust
SplunkTrust

[source::WinEventLog:Security] --> uses the source field as a filter
[WinEventLog:Security] --> uses the sourcetype field as a filter

In terms of precedence, source will override sourcetype (and host) for settings that are specified in multiple categories of matching [] stanzas.

See details below from props.conf documentation:

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs, as appropriate
  for what you want to do.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>] stanzas,
[host::<host>] settings override [<sourcetype>] settings. Additionally,
[source::<source>] settings override both [host::<host>] and
[<sourcetype>] settings.

Based on what you are saying, can you run btool in your heavy forwarder in order to identify potential app conflicts in your props.conf and transforms.conf files?

./splunk cmd btool props list --debug
./splunk cmd btool transforms list --debug

Hope that helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...