Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my REGEX in transforms.conf not working to filter data to nullQueue?

Aexyn
Engager
‎06-21-2016 06:54 AM

Hi,

I want to filter Windows Security event logs in (/etc/system/local/)props.conf/transforms.conf.

Here is my transforms.conf file: 

[FilterEventWindows]
REGEX=(?is)^.*EventCode=(5145|4656).*(Nom de l’objet :\t\t(?!C:\\epic\\*))(.*)$
DEST_KEY = queue
FORMAT = nullQueue

ie I only want events 5145|4656 with the ObjectName (of the filesystem) in C:\epic.

A standard log looks like this:

06/21/2016 02:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName= 
TaskCategory=Système de fichiers
OpCode=Informations
RecordNumber=1764752
Keywords=Succès de l’audit
Message=Un handle vers un objet a été demandé.

Sujet :
    ID de sécurité :      TEST\Administrateur
    Nom du compte :     Administrateur
    Domaine du compte :     TEST
    ID d’ouverture de session         0x1C307

Objet :
    Serveur de l’objet :      Security
    Type d’objet :        File
    Nom de l’objet :      C:\Users\Administrateur\Documents
    ID du handle :      0x18b0
    Attributs de ressource :    -

Informations sur le processus :
    ID du processus :       0x7d4
    Nom du processus :      C:\Windows\explorer.exe

After testing it on a (PHP) regex tester, it seems it should work...
Obviously the problem is not fixed.
I tried many things around this syntax, like deleting/adding ^ and $, starting without .*, specifying (?s)(?i) or (?si)... I tested this regex with /gsi, /si is right too, but I keep receiving events of other folders.
I tried Nom de l’objet :\t\t(?!C:\\epic\\* since I can filter eventsID with whitelist, but it is wrong too.

My props.conf file is simply

[WinEventLog:Security]
TRANSFORMS-FilterEvent = FilterEventWindows

Am I missing something?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2016 10:07 AM

It's not entirely clear what you want the regex to match, but this string matches the event code and the object name. It works at regex101.com.

(?s)EventCode=(5145|4656).*(Nom de l’objet :\s*C:\\(?!epic\\))(.*?)\n
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Aexyn
Engager
‎06-22-2016 12:02 AM

No that was not exactly what I meant, sorry for my bad english.
Actually I want the string match with the EventID and with " Nom de l’objet : " but NOT with the ObjectName ie the filename (ie the file is not in C:\epic).

This regex doesn't work since it matchs pretty anything on the folder name.

About this, it is possible to define a configuration that match the ObjectName to send ONLY the matching logs instead of dropping logs which don't match through nullQueue?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2016 11:18 AM

A small change to the regex fixed it. See my edited answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Aexyn
Engager
‎06-27-2016 01:10 AM

Mhh this time I'm sure your regex is correct, good job.
However, it still doesn't work and I think there is something tricky I don't see in my files.

Since ObjectName is not directly a field of the log (I mean it is just displayed as a part of the message field), maybe there is a problem :(.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...