Hello,
I tried a lot of solution to filter log events security without success.
I wish i could filter evenbements following:
Informations sur la demande d’accès : Masque d’accès : 0x80 Accès : ReadAttributes Résultat de la vérification d’accès : ReadAttributes: Accordé par D:(A;;FA;;;WD)
I want to filter the word "accès".
I tried this:
[events-filter]
REGEX=(?msi)^Accès=(SYNCHRONIZE|ReadAttributes)\D
DEST_KEY = queue
FORMAT = nullQueue
but it does not work.
Do you have an idea to help me?
Where are you trying to filter this? On an indexer or a forwarder?
Hello, I tried with IFX, the problem is that the fields are extracted as the first, the "accès" does not appear:
If I display "view source" fields are visible :
On the Regex tester tool it is ok :
I do not understand because I have tried my hand with a regex tester (Kodos) and in the same way the code is to detect the field, but in Splunk, data back anyway.
If you are new in regex - as I am 🙂 - try to use :
Splunk's Field extractor (IFX)
or this very usefull regex tester tool : http://www.gskinner.com/RegExr/
Greetz Robert
Try the regex as Kristian posted (mofidied) :
(?msi)Accès\s+:\s+(ReadAttributes|SYNCHRONIZE)
Hello i tried tis regex but it dosen't work, i have always the events with ReadAttributes ...
It does not seem to work.
I attached a screenshot of the event that I want to filter:
Hello Robert,
I just want to filter events including the line "accès" contains "SYNCHRONIZE" or "ReadAttributes."
EventCode field is not enough, it is the 5145 and there are many.
Does your events look like that (single-line), or are they truly multi-line?
One thing that springs to mind is that the actual log event does NOT contain the equals-to character (=). Also, I'm not sure that the accented 'e' might cause problems, so I wildcarded it, and added one-or-more whitespaces after the colon.
Also, I removed the caret (start-of-line).
Try;
REGEX=(?msi)Acc.s:\s+(ReadAttributes|SYNCHRONIZE)
Hope this helps somewhat,
Kristian
Hello kristian, my events are truly multi line.
I try your solution ...
I'm not shure, what you want to do ...
Do you want to filter all events where the string
"Accès" AND ("SYNCHRONIZE" OR "ReadAttributes")
occur?
Would be useful to specify your request.
Maybe it's better to filter by (known)fields like EventId, EventCode, etc. than plain strings ...
Greetz Robert