How to filter inputs.conf whitelist content for Wi...

Aexyn · ‎06-16-2016

Hello,

I configured an audit on a folder on Windows. Now I want to send it to my Splunk Server, but there are many file audits configured by the system itself (file access in System32...) and I'm not interested by these logs.

So I need more than the eventID filter on the whitelist option of inputs.conf

How can I do that, for example by checking the content of the log and only send it if it contains C:\MyFolder?

Thank's

ryanoconnor · ‎06-16-2016

You'll want to do this with a props.conf and transforms.conf. Things get slightly more complex if you want to filter everything and only include some things (such as C:\MyFolder). You'll also probably add a lot of additional processing in Splunk that isn't necessary. If it's the case that you only want to audit a specific folder, you might want to configure that auditing specifically inside the OS.

If you want to just filter out some folders (such as System32), you could setup a props.conf and transforms.conf like the following. You can also duplicate these for additional folders that you want to filter.

props.conf

 [WinEventLog:Security]
 TRANSFORMS-FilterEvent = FilterEventSystem32

transforms.conf

[FilterEventSystem32]
REGEX = <REGEX_THAT_MATCHES_HERE>
DEST_KEY = queue
FORMAT = nullQueue

If you can send a sample event you'd like to filter out I can be more specific with a Regex.

Aexyn · ‎06-17-2016

Hi,

Finally, custom view configuration is rather limited and I'm not even sure I can do what I want, ie filtering ObjectName field.
So I have just followed your advice on Splunk with transforms.conf and props.conf configuration.

Even if I thought that was the "dirty way", after filtering "Object Name C:*" (even C:\Windows should be almost perfect) I don't receive any logs from the chatty Windows.

If you want to do the same, honestly, don't lose your time searching weird Windows configuration and just filter any chatty folder.

It is finally quite easy and powerful.

Thank's for all

ryanoconnor · ‎06-17-2016

That's awesome news I'm glad you got it working! Let me know if you have any other questions around this

Aexyn · ‎06-16-2016

Thank's for your reply.
Actually, my idea was to include only the events which concern this folder, with no restriction about the type of events (read, modification attempt, deletion ...).

There is no specific format for stored files, the only condition is the path "C:\Myfolder*" (or C:\Myfolder*).
Is it possible to exclude a drive?
This way I could just set my folder as a shared network drive (and exclude any other drive).

You're right about the OS configuration, I have started configuring Windows logs with the Advanced XML Filtering, it is a bit tedious but this should work.

About that, do you know if it possible to forward Windows logs of a customised View, which filters logs, in the same way than ordinary logs (I mean [Winevent://MyView] in inputs.conf for example).

ryanoconnor · ‎06-16-2016

I believe you should be able to use a custom view. Try this and see if it's what you're looking for?

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata#Use_the_.22Full_Na...

How to filter inputs.conf whitelist content for Windows event logs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases