Splunk search for windows event id1/2/2023 ![]() ![]() In Splunk 6, you can add a new parameter to your nf stanza to supress the Message field: ![]() Every single security event has similar explanatory text. Since these events get generated every 10-15 minutes for every single user on your domain controllers and they are 100+ bytes, you can see how they can add up. ![]() You see that “This event is generated…” text – that’s the explanatory text. Logon IDs are only unique between reboots on the same computer. It may be positively correlated with a logon event using the Logon ID value. This event is generated when a logon session is destroyed. SourceName=Microsoft Windows security auditing. Let’s take a look at a typical windows event prior to the text suppression: 08:29:33 AM The second facility I wrote about was suppressing the explanatory text. The second parameter is a whitelist – if you have more that you don’t want to keep than you want to keep. You can use ranges (as I did here), or comma-separate the event IDs or event comma-separate ranges of event IDs. There are two new parameters you can specify – the first, shown here, is a black list of all the event IDs you don’t want to monitor. Previously, we had to add a nf stanza to initiate a filtering action that was done in nf – it was complicated. From the previous blog post, event ID 51 detail the firewall connection accept and deny messages. Let’s say you don’t want firewall events. Splunk 6 makes this so much easier that the prior blog post is not even relevant any more. I included two techniques – firstly, filtering by event code so that you didn’t include the events you didn’t want and secondly, filtering the explanatory text on the end of each event. It detailed how to limit the amount of data that was going into the Splunk index through filtering. ![]() Quite a while ago I wrote a blog post entitled The Splunk App for Active Directory and How I tamed the Security Log. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |