Refine your search:

How do you filter Windows Event Log?

1
4

I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config:

props.conf

[WinEventLog:Security]
TRANSFORMS-set = delete

transforms.conf

[delete]
REGEX = .*EventCode\=540.*
DEST_KEY = queue
FORMAT = nullQueue

Wondering if this is a bug?!

asked 06 Mar '10, 01:09

BunnyHop's gravatar image

BunnyHop
8368828
accept rate: 25%

edited 16 Apr '10, 15:54

Ledio%20Ago's gravatar image

Ledio Ago ♦
6793615
One Answer:
oldestnewestmost voted
5

Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.

However, if that is what you are trying to do, one problem is that the "EventCode" you are presumably looking for is usually found at the beginning of a line, while the regex in your configuration requires a "." before it. By default, "." does not match line breaks, so your regex will not match what you intend. A regex that does do what you probably want is "(?m)^EventCode=540".

link

answered 06 Mar '10, 07:17

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
accept rate: 41%

That works great! Yes I do want to drop specific events. How do you another condition in the regex? Say with the EventCode, I also want to include all username "Anonymous Logon"? I'm thinking on the regex "(?m)^EventCode=540.ANONYMOUS LOGON.Logon Type: 3"

(10 Mar '10, 04:38) BunnyHop
1

You should look at the documents for PCRE: http://perldoc.perl.org/perlre.html You probably want to use the (?msi) prefix on your regex if you want it to work.

(10 Mar '10, 06:35) gkanapathy ♦

Took awhile but I was able to get my exact regex. I did use the (?msi) prefix. Thanks alot!

(10 Mar '10, 20:41) BunnyHop
2

I recommend adding a not-a-digit at the end of that regex. For example: "(?m)^EventCode=540\D" just so you aren't matching some other event code.

(28 Aug '10, 00:52) Lowell ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×458
×433
×143
×142

Asked: 06 Mar '10, 01:09

Seen: 3,235 times

Last updated: 16 Apr '10, 15:54

Related questions

Discard Windows Events and keep the rest

How to filter off winevent code to capture only failure audit status?

Filtering Windows event logs

Windows Event Log Filter Attempt Failing

windows event log filter

Filter all windows event logs from single server

Pre-filter Windows Event Logs before collected?

WMI Filter event log security Category string

How do you limit the amount of time that splunk looks into the past for log data?

Copyright © 2005-2012 Splunk Inc. All rights reserved.