In fact, I do have the wrong list. My apologies. My only (weak) defense is that I'm using OSSEC agents to feed data to Splunk. Please disregard this post (unless you can help with my problem).
On Feb 1, 3:17 pm, Paul Southerington <[email protected]> wrote: > I think you have the wrong mailing list. :-) > > This is for OSSEC - if you have Splunk questions, > tryhttp://splunk-base.splunk.com/answers/ > > > > > > > > On Wed, Feb 1, 2012 at 3:04 PM, biciunas <[email protected]> wrote: > > I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've > > installed Universal SplunkForwarder 4.3, collecting Application, > > Security, and System events. I don't want to see Security "Success > > Audit" events, since there are about anywhere from 1000-3500 per > > minute. (And I need to have the Audit Success flags turned on the > > server since we need to be CIS server compliant.) > > > On the server, I have defined > > > props.conf > > [WinEventLog:Security] > > TRANSFORMS-set=dropevents > > > transforms.conf > > [dropevents] > > REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success) > > DEST_KEY = queue > > FORMAT = nullQueue > > > I've tried various forms of the REGEX, including just the EventCodes, > > one EventCode, etc. Nothing seems to work; no events are dropped. I > > read that this was a known issue before 4.2.1, but it is not listed in > > the 4.3 known issues. Can anyone enlighten me as to what I may be > > doing wrong?
