Hi,
I am auditing the Splunk Data directories for any kind of access. To do this, I put EVERYONE in the audit group. I then want to filter out any that come in from the system account:
Fo instance, an event like this is generated
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=COMPUTERNAME.DOMAIN.com
TaskCategory=File System
OpCode=Info
RecordNumber=960826400
Keywords=Audit Success
Message=A handle to an object was requested.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTERNAME$
Account Domain: DMN
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\Splunk\Python-2.7\Lib\encodings
Handle ID: 0x8c
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Splunk\bin\python.exe
What I want match out to pass to the nullQueue in transforms.conf is across multiple lines:
TaskCategory=File System & Account Name: COMPUTERNAME$
I cannot get this to match no matter the regex I throw in there (I am guessing because it is going across multiple lines).
Thanks for any help.
Kevin
have you tried with (?msi)
before your regex? if still not working what is your regex?