- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Syntax of $XmlRegex property for white listing Win...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a stanza which looks like this:
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=true
#Block events
whitelist = $XmlRegex='Level="2"'
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
If I remove the whitelist I get all the event types. However I only want the Error events. Without the renderXml option, my whitelist would look like this:
whitelist = Type="Error"
However, when rendered in Xml the event level is rendered like this <level>2</level>
However, the documentation has only the most basic example of searching for text when using renderXml.
Does anyone have any experience in advanced syntax for this option? I've tried:
whitelist = $XmlRegex='Level="2"'
whitelist = $XmlRegex=Level="2"
whitelist = $XmlRegex="\<Level\>2"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.
I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.
I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.
I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)
index=* | regex _raw="(?<=Level\>)(4)"
If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want
whitelist = $XmlRegex = '(?<=Level\>)(4)'
blacklist = $XmlRegex = '(?<=Level\>)(4)'
I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It's a standard windows event log. Apologies that my link to the Splunk documentation didn't work. You can see a sample event in here
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowseventlogdata
Scroll down to the heading: Display Windows Event Log events in XML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try using whitelist = $XmlRegex=Event.System.Level=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I tried something very similar. Would you need to escape the <
Like this 2\
Forward slashes don't require escaping in my experience.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2<\/Level>
Without the escaping, the regex isn't working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, the web portal mangled my reply.
Have you tested the above? I tried something very similar (see my OP) and it didn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestion, but it didn't work. Here is a sample of the actual event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8002</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-01-20T22:30:09.805334100Z'/><EventRecordID>28242</EventRecordID><Correlation/><Execution ProcessID='4640' ThreadID='7872'/><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>HOSTNAME</Computer><Security UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>DLL</PolicyName><RuleId>{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}</RuleId><RuleNameLength>37</RuleNameLength><RuleName>(Default Rule) Microsoft Windows DLLs</RuleName><RuleSddlLength>57</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl><TargetUser>S-1-5-21-3206126476-1968031584-1518185873-1130</TargetUser><TargetProcessId>4640</TargetProcessId><FilePathLength>22</FilePathLength><FilePath>%SYSTEM32%\NTMARTA.DLL</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>117</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NTMARTA.DLL\10.0.17763.01</Fqbn><TargetLogonId>0x71c37ca</TargetLogonId></RuleAndFileData></UserData></Event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2<\/Level> tried this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestion, but this whitelist didn't work. With the input enabled all events are forwarded. I've tried it as you suggested and have put the "2" in quotes.
Here is a copy and paste of an actual event:
xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> Name='Microsoft-Windows-AppLocker'
Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/>800204000x8000000000000000 SystemTime='2020-01-20T22:30:09.805334100Z'/>28242 ProcessID='4640'
ThreadID='7872'/>Microsoft-Windows-AppLocker/EXE
and
DLLZPVWMGT01X.dmz.amsa.gov.au UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/> xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>3DLL{bac4b0bf-6f1b-40e8-8627-8... Rule) Microsoft Windows
DLLs57D:(XA;;FX;;;S-1-1-0;(APPID://PATH
Contains
"%WINDIR%*"))S-1-5-21-3206126476-1968031584-1518185873-1130464022%SYSTEM32%\NTMARTA.DLL0117O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\NTMARTA.DLL\10.0.17763.010x71c37ca
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a sample event?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
