Solved: Looking to filter out C:\Program Files (x86)\Syman...

andrewsmiley · ‎05-30-2012

Once a week when Symantec runs a full scan our quota gets blown out of the water. Is there a way to filter these events out so they are not forwarded to the index server?

Chubbybunny · ‎05-31-2012

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

View solution in original post

Chubbybunny · ‎05-31-2012

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

dshpritz · ‎05-30-2012

You can use a blacklist in the input (depending on how you have your monitor stanza configured):

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Another option would be to use a nullQueue to filter the events:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

Looking to filter out C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan events

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...