Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Windows Event Clean Up in Splunk
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
# Removed due to issue with Windows Filtering Platform events
# SEDCMD-clean8-firewall_summary = s/(?ms)(The Windows Filtering Platform has permitted.*$)//g
@automine

This comment has been minimized.

Copy link
Owner Author

@automine automine commented Jul 31, 2018

Note: if you use the AD Objects app, it has some extractions (namely EXTRACT-ms_ad_obj_user and EXTRACT-4624-user which are a little over aggressive. When you combine them with the SEDCMD-clean0-null_sids above, you may get some extractions of user=Account Domain: as well as some other weirdness. You may want to look at adjusting those extractions. Thanks to mpf on the Splunk User Groups Slack for finding this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.