Howdy All,
I am looking for some assistance with a SEDCMD. I am trying to clean up some XmlWineventlog:security events, particularly the 4688 Event, where we are capturing command line for processes running. We are finding that this is causing us some ingestion woes at the moment, with some _raw event sizes being over 5kb each. So we are trying to clean up some of the Normal Noise in this <data> Name='CommandLine'> ...... </data> for certain processes.
These are currently being collected by the Windows TA on Universal Forwarders on each desktop, so will be added to the local/props.conf
The first one I have looked at, is something our Citrix VPN client does, which is spawn some powershell. the event is rather large, so looking to strip out the content and replace it with some meaningful text. I have confirmed the regex works, I am just wanting advise on the actual SEDCMD.
Does this appear correct?
SEDCMD-cleanxmlcitrixcommandprocess = s/("powershell\.exe" "-Command\s{6})((\$version='1\.0\.0\.0'\s\$application='CitrixVPN')[\S\s\r\n]+("))/gm /Citrix Command process/
And in the props.conf file, should this be under:
[source::WinEventLog:Security]
or
[source::XmlWinEventLog:Security] - which is the current sourcetype of the event when searching on the indexer.
Any assistance would be greatly appreciated.
It looks like the SEDCMD is in the wrong format. Try this:
SEDCMD-cleanxmlcitrixcommandprocess = s/("powershell\.exe" "-Command\s{6})((\$version='1\.0\.0\.0'\s\$application='CitrixVPN')[\S\s\r\n]+("))/Citrix Command process/gm
BTW, this setting should be on the first parsing Splunk instance (HF or indexer).