I need to filter out logs that have "Account Name:...

Nsdjanin · ‎02-18-2017

Hello everybody,

I'm new in this field and I have one question.
We have too many windows security logs indexed that are generated by machine accounts.
I want to filter out logs that looks like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4658
EventType=0
Type=Information
ComputerName=comp1.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=4463688
Keywords=Audit Success
Message=The handle to an object was closed.

Subject :
Security ID: DOMAIN1\SERVER01$
Account Name: SERVER01$
Account Domain: DOMAIN1
Logon ID: 0x347732

I need to filter out logs that have "Account Name: SERVER01$".
What is the best way to do this?
I know about props.conf and transforms.conf, but I don't know how to generate right regex for that.

Please help!

splunknewbie81 · ‎09-20-2021

Maybe you want to use this -

| regex Account_Name!="\$$"

I am using this in my search string and it drop all the hostname$

woodcock · ‎02-18-2017

Assuming that the sourcetype is WinEventLog:Security:

In props.conf:

[source::WinEventLog:Security]
TRANSFORMS-eliminate-4658-SERVER01 = eliminate-4658-SERVER01

In transforms.conf:

[eliminate-4658-SERVER01]
REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue

You will need to restart splunkd on EVERY indexer and even then, only post-restart events will be dropped (what is in is in).

Nsdjanin · ‎02-19-2017

Woodcock thanks, but after your proposed changes I now have a situation that all of mine security logs from this particular machine is filtered out. Not only 4658 with account name SERVER01$ but all.
Do you have any idea?

woodcock · ‎02-19-2017

First, I forgot 1 key configuration: FORMAT = nullQueue (I updated the answer). But that mistake should not have caused what you are describing. Fix that mistake and if it doesn't behave, then perhaps there is something else that you added that is doing this (e.g. blacklist).

Nsdjanin · ‎02-19-2017

Props.conf
[source::WinEventLog:Security]
TRANSFORMS-filterWinSecNull = filterWinSecNull

Transforms.conf
[filterWinSecNull]
REGEX = (?ms)[\s\r\n]+EventCode\s*=\s*4658[\s\r\n]+.*[\s\r\n]+Account\s+Name:\s*SERVER01\$[\s\r\n]+
DEST_KEY = queue
FORMAT = nullQueue

These are my props.conf and transforms.conf files.
I don't have any blacklists.
This configuration filters out all windows security logs from that particular machine that has lots of logs with Account name SERVER01$.

Do you have any ideas?
.
Thanks in advance

woodcock · ‎02-19-2017

It looks fine to me and it should work as you listed it. I am at a loss.

woodcock · ‎02-18-2017

Do you need to prevent them from being indexed or do you need them to be dropped from a specific search's results set?

Nsdjanin · ‎02-18-2017

I need to prevent them from being indexed.

woodcock · ‎02-18-2017

See my answer.

niketn · ‎02-18-2017

You need to blacklist your [WinEventLog://Security] input in inputs.conf

blacklist= EventCode="4658"

Refer to the documentation for using Whitelist and Blacklist in input.conf
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_f...

Also for specs and conf of inputs.conf please refer http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Nsdjanin · ‎02-18-2017

niketnilay thanks on answer but i need eventcode 4658.
I want to filter out only machine account Account Name: SERVER01$ that generates these logs. Other accounts I need.

I need to filter out logs that have "Account Name: SERVER01$"

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk