Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex match on "message" portion of event

montydo
Explorer
‎01-20-2020 03:04 AM

From the splunk windows_TA guide

"The following keys are equivalent to the fields which appear in the text of
the acquired events: Category CategoryString ComputerName EventCode
EventType Keywords LogName **Message** OpCode RecordNumber Sid SidType
SourceName TaskCategory Type User"

I'm trying to filter on the contents of the "Message" field:

An operation was attempted on a privileged object. Subject: Security ID:    ROOT\username Account Name: username Account Domain:    DOMAINNAME Logon ID:    0x200ABCD1 Object: Object Server:   Security Object Type:   - Object Name:  - Object Handle: 0x1234 Process Information: Process ID:    0x12A3 Process Name:    **C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe** Requested Operation: Desired Access:   1234567 Privileges: SeTakeOwnershipPrivilege

I'm looking to match on the "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" portion and discard the events through a blacklist stanza in the inputs.conf on the Universal Forwarder.

Something like:

blacklist3 = | key=regex [key=REGEXHERE?]

Is this possible? and can anyone help with the regex?

Tags (2)
0 Karma
Reply

damann
Communicator
‎01-20-2020 04:09 AM

Try this for your blacklisting.
Make sure you escape your backslashes and your dots as they would be interpreted as wildcards.

blacklist3 = Message="Process Name:\s+\*\*C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam\.backup\.shell\.exe"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 04:07 AM

Hi @montydo,
let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?
if this is your need you should use something like this:

[WinEventLog://Security]
disabled = 0
start_from = newest
blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe
index = wineventlog

otherwise, you can filter these events on Indexers before indexing (see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_... ) using the same regex.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...