Security Log Filtering ineffective

Answered

Follow

Dan Kratz

• August 03, 2015 17:16

Recently enabled audit logging on success/failure for a Windows server. The"Windows Filtering Platform has permitted a connection" EventCode = 5156 is logged thousands of times per hour. The filter "Does not match EventCode = 5156" was created and applied to the collector but the events continue to be pulled into Sumo. What can be done to filter out these events?

1

• 

  Mario Sanchez

  • September 25, 2015 22:12

  Hi Dan,
  To be on the same page, I assume the filter was added using the UI following the following steps:
  https://service.sumologic.com/help/Default.htm#Filtering_data_sent_from_a_Source.htm%3FTocPath%3DManage%7CManaging%2520Installed%2520Collectors%2520and%2520Sources%7CSources%7CFiltering%2520Source%2520Data%7C_____4

  Some basic questions to help you debug:
  - Do you have other filters for this same Source? Keep in mind that Excludes take precedence over Include filters, and if mire than 2 filters apply, they boolean OR is assumed.
  - Another thing to keep in mind is that your rule must match from the beginning to the end of the message. If you are looking for "Event Code = 5156", write the rule .Event Code = 5156.

  Hope this helps.

  0

  Comment actions Permalink
• 

  Austin Ayers

  • October 14, 2015 17:48

  I am generating about 3-4GB a day of these! I am also looking for a proper Regex to exclude those!

  0

  Comment actions Permalink
• 

  Kevin Francis

  • October 14, 2015 17:51

  Try using this as an exclude filter:
  (?s).5156(?s).

  0

  Comment actions Permalink
• 

  Austin Ayers

  • October 14, 2015 18:04

  Thank you Kevy. That worked well but I settled on (?s).EventCode.*5156(?s). because it seemed more specific. I am new to these type of regexes. I great tool i came across was regex101.com for testing them.

  0

  Comment actions Permalink

Please sign in to leave a comment.