Refine your search:

Regex on a WMI security and Splunk formating

0

Hi,

I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing.

In the Search app, the lines are displayed as:

  ...
  Type=Audit Success
  User=NULL    
  ...

But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.

asked 10 May '11, 09:25

jordans's gravatar image

jordans
335
accept rate: 100%

edited 10 May '11, 13:19

2 Answers:
oldestnewestmost voted
0

I ended up figuring it out eventually, with some added features:

(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2)
link

answered 10 May '11, 15:58

jordans's gravatar image

jordans
335
accept rate: 100%

edited 10 May '11, 16:10

0

By default, Splunk should extract those fields with it's automatic field extraction. For any key=value, Splunk is pretty friendly. To optimize a search that finds all of these:

  • Make sure "Type" and "User" get extracted. you may need to turn on field discovery and pick them from the field picker

Assuming each event contains both of these lines, here is the search:

Audit Success NULL | search User=NULL Type="Audit Success"

OR

User=NULL Type="Audit Success"

To filter these events from your results, you want to negate the terms:

NOT User=NULL NOT Type="Audit Success"
link

answered 10 May '11, 10:44

Simeon's gravatar image

Simeon ♦
4.2k111035
accept rate: 26%

I'm afraid I was not clear. I want to filter them out before indexing, so I need to configure transforms.conf. That's the regex I need to figure out.

(10 May '11, 13:17) jordans

Sounds like you want to do conditional routing to the nullqueue for specific events. The following thread explains how to route to nullqueue (won't get indexed). You want to modify the regex to recognize your specific events:

http://splunk-base.splunk.com/answers/11102/can-i-devnull-a-sourcetype

(10 May '11, 14:30) Simeon ♦

But that's my whole point. I need to know what the regex is ...

(10 May '11, 15:01) jordans
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×471

Asked: 10 May '11, 09:25

Seen: 958 times

Last updated: 10 May '11, 16:10

Related questions

WMI Filter event log security Category string

Regex is kicking my butt

WMI - Can't poll server

Transforms.conf and Props.conf to filter WMI security eventlog

rsyslog regex or another way?

REGEX in transforms for windows path and EventCode

Infinite number of events from WMI event log

Tuning security in enterprise

Windows Server with Corrupted Security Log

Copyright © 2005-2012 Splunk Inc. All rights reserved.