I think you have the wrong mailing list. :-)
This is for OSSEC - if you have Splunk questions, try
http://splunk-base.splunk.com/answers/
On Wed, Feb 1, 2012 at 3:04 PM, biciunas wrote:
> I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
> installed Universal SplunkForwarder 4.3, collecting Application,
> Security, and System events. I don't want to see Security "Success
> Audit" events, since there are about anywhere from 1000-3500 per
> minute. (And I need to have the Audit Success flags turned on the
> server since we need to be CIS server compliant.)
>
> On the server, I have defined
>
> props.conf
> [WinEventLog:Security]
> TRANSFORMS-set=dropevents
>
> transforms.conf
> [dropevents]
> REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
> DEST_KEY = queue
> FORMAT = nullQueue
>
> I've tried various forms of the REGEX, including just the EventCodes,
> one EventCode, etc. Nothing seems to work; no events are dropped. I
> read that this was a known issue before 4.2.1, but it is not listed in
> the 4.3 known issues. Can anyone enlighten me as to what I may be
> doing wrong?
>