Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

remove events from Windows security

Esky73
Builder
‎06-03-2017 08:35 AM

Receiving windows security logs from UF's

I have a created an app on my HF and put transforms and props in the local folder as such:

[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db

[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue

However i'm still seeing windows eventlogs coming through to my splunk instance like the following:

D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Tags (1)
0 Karma
Reply

tlam_splunk
Splunk Employee
Splunk Employee
‎06-05-2017 08:53 PM

Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 08:52 AM

Try this:

[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue

Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).

0 Karma
Reply

Esky73
Builder
‎06-03-2017 04:22 PM

so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 04:38 PM

Yes, it will work for HF; I should have written your parsing servers instead of Indexers.

0 Karma
Reply

Esky73
Builder
‎06-03-2017 05:41 PM

applied to the HF and restarted HF still events being seen.

Also added:

[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue

which looks right (In regex101.com)

however also doesnt stop the events

props and transforms are located in :

C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local

0 Karma
Reply

Esky73
Builder
‎06-04-2017 06:24 PM

I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..

Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...