Hi All,
Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)
Currently I have something like this in my transforms.conf:
[eventsallowed]
... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$
this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.
Any ideas?
Thanks,
Luca
Nope- trying to get it running on the main Splunk instance- sorry for the delay... been busy on other projects.
If you're trying to do this on a Universal Forwarder, that won't work. Filtering can only be performed on Splunk instances that perform parsing (basically, most instances except Universal Forwarders).
Did you end up figuring out what the issue was? I am working on the same task and have been bashing my head against it for a little while now...
have you tried with (?msi)
instead of (?m)
?