Receiving windows security logs from UF's
I have a created an app on my HF and put transforms and props in the local folder as such:
[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db
[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue
However i'm still seeing windows eventlogs coming through to my splunk instance like the following:
D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).
Try this:
[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue
Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m
or similar); older events will stay broken (not deleted).
so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.
Yes, it will work for HF; I should have written your parsing servers
instead of Indexers
.
applied to the HF and restarted HF still events being seen.
Also added:
[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue
which looks right (In regex101.com)
however also doesnt stop the events
props and transforms are located in :
C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local
I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..
Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.