Why is multiline regex blacklisting all events for...

geraldcontreras · ‎11-21-2019

Hi All,

I cant seem to get this right.
I am trying to use regex to blacklist 4656 events where:
The account name ends in $
and
The object server is "PlugPlayManager"

Example of the Event:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=2616184651
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        domain\computer
    Account Name:       Computer$
    Account Domain:     domain
    Logon ID:       0x2xxxxx81e5

Object:
    Object Server:      PlugPlayManager
    Object Type:        Security
    Object Name:        PlugPlaySecurityObject
    Handle ID:      0x0

Process Information:
    Process ID:     0x2d0
    Process Name:       C:\Windows\System32\svchost.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       Unknown specific access (bit 1)

    Access Reasons:     -
    Access Mask:        0x2
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

I have tested multiple Regex and they all seem to work in regex101but when I apply them, it instead blocks the entire EventCode.

Regex Example in windows_TA on UF

blacklist = EventCode="4656" Message="Account Name:.*?\$(?:[\S\s]*?)Object Server:.*?PlugPlayManager"

I have tried all manner of other combinations, all that work on regex101. And if I change the account name to not include the ending$ or if I change the "object server" it will not match (in regex101).

But for some reason, the blacklist entry ends up blocking ALL 4656 events instead of just those that match

Any help would be greatly appreciated, I do not want to have to block just based on one field in the log, I want to blacklist based on the username and object server.

Thanks in Advance

EDIT*:
I forgot to mention, each time I make the change and reload the Server Class, it does actually appear to work for about 3 minutes, then I get nothing. Is it the case where I need to wait for say 60minutes or so?

gcusello · ‎11-22-2019

Hi @geraldcontreras,
could you please try this regex

(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager

that you can test at https://regex101.com/r/qiR7FZ/1
so in your TA's stanza

blacklist = EventCode="4656" Message="(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager"

.
If this filter desn't run on TA, you can apply it on Indexers:
In props.conf, set the TRANSFORMS-null attribute:

[wineventlog://Security]
TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":

[setnull]
REGEX = (?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager
DEST_KEY = queue
FORMAT = nullQueue

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

geraldcontreras · ‎11-26-2019

Hi Giuseppe,

Thanks for your advice.

This also ends up blacklisting all events rather then the matching regex.
I had tried many combinations previous to posting this question, all which also work in regex101 but fail in the splunk_TA_windows.

I have tried a very simple regex blacklist for event 4656 and that also has the same affect. So it appears to be something unique to this event for some reason (i am using regex successfully on other EventCodes such as 5156,4689,5145 and it is working as expected)

I will try using the props and transforms and see if that works.

Very strange that it appears to be unique (so far) to this one EventCode only

Ill let you know how i go.

thanks

Gerald

Why is multiline regex blacklisting all events for specifically 4656 only?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM