My Profile Photo

Henry Robalino

personal blog

on windows, splunk

Filter Windows Event Logs using Splunk Ingest Actions

This post is a follow-up, more advance post to filter Window Event Logs in Splunk.

What are we trying to accomplish? Why?

Windows Event Logs (WEL)can often be noisy, and veracious when it comes to data produced. The best practice is to collect quality data into Splunk, but not all data is created equally. For this reason, we must filter WEL using regex rules before we ingest the log files into our Splunk Env.

We want to do this for one or mane of several reasons:

  • Reduce ingest size (Helpful for SC Ingest Customers).
  • Reduce lenght of time processed due to smaller data size (Helpful for SC Workload Customers).
  • Increase efficience of searches, increase speed of alerts
  • Meet compliance requirements, while meeting budget numbers.

With the introduction of Ingest Actions (IA), Splunk users gain access to an additional method for data ingestion. This approach allows users to focus on specific logs they require, enhancing data quality while effectively managing the quantity of ingested data. The availability and functionality of Ingest Actions depend on the user’s Splunk version, platform, and permissions.

For more information, refer to the Splunk documentation on Ingest Actions requirements.

This post will primarily focus on creating IA rulesets to streamline and filter the excessive verbosity often associated with Windows Event Logs. We assume that you have already installed and configured the Windows Add-on for Splunk.

Before we proceed, it’s important to note that the recommended IA rules we are suggesting are directly derived from the Splunk documentation for Windows event clean-up best practices. In our case, we will be utilizing the recommended transforms and translating them into IA rulesets.

Let’s beging by navigating to Ingest Actions:

  • Inside of Splunk select Settings > Data > Ingest Actions
  • Once here we will select “Mask with regular expression”
  • Open IA Win Event Rule Set Gist, this will list all the translate rules.
  • Select the appropriate Source (e.g., WinEventLog:System) and choose the correct regex.
  • In the replace box, enter a blank space, this will replace the matched string with a blank space.
  • Confirm that string is matched, and replaced with a blank space.

You are finished.

Disclaimer

The information shared is for general informational purposes only. I do not provide any warranty and recommend readers to test the content thoroughly before implementing it. Use the information at your own discretion and risk.