Hi,
I am tired of making this filter work but unfortunately nothing worked.
I have Windows Security events where there are two places where "Account Name" field appears .
For ex (one under "Subject" and one under "New Logon" section):
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=comp-1
TaskCategory=Logon
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: XYZ\name1$
Account Name: name1$
Account Domain: XYZ
Logon ID: 0xxxxxx
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: xyz
Source Network Address: x.x.x.x
Source Port: 60000
I want to filter any event that has a "$" character in the SECOND Account Name field because sometimes the first "Account Name" is empty and that's why I don't really care about that one.
Hence tried following on Win Universal Forwarder's inputs.conf:
#filtering win logs logis within the servers.
[WinEventLog://Security]
disabled = 0
index = test
sourcetype = win
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:\s*((.|\n)*)Account Name:\s+(.*\$)"
blacklist5 = Message="Account Name:[\s]*(HealthMailbox.*)"
The blacklist4 is the one I am trying to make work, to filter events with "$" sign in second "Account Name" field, but it doesn't work.
I am pretty sure that the regex is correct as when I tried the same regex in other online regex checkers against the above event, it matches.
Hence thinking, is there any special regex language that Splunk uses and hence the above regex won't work?
Any help appreciated.
Thanks,
Fatema.
↧