Hi All,
In our environment we are wanting to cut down on some windows event logs. There are quite a few logs that have specific message patterns and script names that we are wanting to discard. After researching and scouring the internet for ways to perform regex on a blacklist, I'm having trouble finding an example similar to mine.
In our Windows Event Logs, we are seeing events still come through, even though we are attempting to blacklist them. Here is an example where the ScriptName is C:\WINDOWS\system32\WindowsPowerShell\v1.\powershell.EXE and is not being dropped, I have a feeling this is due to the regex in place and the .* not wanting to pick up whatever is after the initial C:\WINDOWS\
If anyone could shed any light on this, that would be much appreciated!!
Message=Pipeline execution details for command line: $Col = new-object Data.DataColumn . Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=21 UserId=domain\AccountName$ HostName=ConsoleHost HostVersion=46545HostId=xxx-xxx-xx-xxxxHostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.EXE -command C:\WINDOWS\Script\debug-process.ps1 \EngineVersion=RunspaceId=-5e81---PipelineId=1 ScriptName=C:\WINDOWS\Script\debug-process.ps1 CommandLine= $Col = new-object Data.DataColumn Details: CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="Data.DataColumn" 1
blacklist8 = EventCode="800" Message="domain\\AccountName" ScriptName=".+(?:C:\\WINDOWS\\Script\\.*)"
ScriptName=".+(?:C:\\WINDOWS\\Script\\.*)"
This regex calls for at least one character to precede the "C:", but that can't happen (it certainly doesn't match the example).