Hello,
I'm attempting to verify a blacklist
parameter for a wineventlog stanza by using regex
and rex
in search and the escape character backslash (\
) is being treated incorrectly by both regex
and rex
.
For instance, I know that splunk search uses PCRE for regex.
If the message
field contents are as follows
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: S-1-5-21-001
Account Name: testuser
Account Domain: CONTOSO
Logon ID: 0xA04CAB48
Network Information:
Object Type: File
Source Address: 192.168.0.1
Source Port: 62387
Share Information:
Share Name: \\*\uemprofiles
Share Path: \??\D:\UEM\uemprofiles
Relative Target Name: testuser\favorites\thisisawebpage.url
Access Request Information:
Access Mask: 0x2
Accesses: WriteData (or AddFile)
Access Check Results:
WriteData (or AddFile): Granted by D:(A;;0x1301bf;;;WD)
Given the documentation on backslash escape chars (hxxps://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions), I believe all backslashes in a path ( \
) must be stated within a regex as four backslashes ( \\\\
).
Therefore, I expect to get match the above event with | regex Message="Share Path:\s*\\\\\?\?\\\\D" | rex "Share Path:\s*\\\\\?\?\\\\(?P<path>.*)"
where path
is then equal to D:\UEM\uemprofiles
, and the rex
works.
But given that regex
how do i know for sure that this acts the same way as rex
, and thusly how do I know that blacklist
in inputs.conf
will act this same way/
In fact, I have a feeling that blacklist
does not require the additional backslash escape conditions. Is this correct?
Therefore, to blacklist
these events (only when share path contains \??\D:
) within an inputs.conf WinEventLog stanza, the following syntax should be used for a successful regex match:
blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"
Is this correct?
Thanks,
matt
After some testing, it's clear to use regular escape syntax:
blacklist3 = EventCode="5145" Message="Share Path:\s*(\\\?\?\\D:)"