Forums: SplunkGeneral: Send Windows Events to the nullQueue

I have a LightWeightForwarder installed on a Windows 2003 Domain controller. There are certain security events that are very noisy and I would like to filter these before they are forwarded and indexed.

I have followed the instructions located here:
Route specific events to different queues http://www.splunk.com/doc/3.4.1/admin/FilterFromIndex

However I am having problems with my regex. This is my multiline event:

11/25/08 03:01:41 PM
Category=2
CategoryString=Logon/Logoff
ComputerName=DC2
EventCode=538
EventType=8
Type=Success Audit
User=DC3$
Sid=S-1-5-21-1757981266-1275210071-682003330-6176
SidType=1
SourceName=Security
Message=User Logoff:
User Name: DC3$
Domain: CCU
Logon ID: (0x0,0x631BC867)
Logon Type: 3

I need my regex to find any event with "EventCode=538" or "EventCode=540" and has a "User Name: DC3$" or "User Name: AD2$"

This is my regex:

(EventCode=5(38|40)|User Name:.[ADad][CDcd]\d\$)

This regex does not work because events with either EventCode OR User Name are routed to the nullQueue. How can I change this regex to only route when both are true?

If you can be sure that "EventCode" always is listed in the event before "User Name", you can try:

(?ms)(EventCode=5(38|40)).*User Name:.[ADad][CDcd]\d\$)

(?ms) before the regular expression tells the regex to match across lines, in particular so that "." matches the newline as well as other characters.

Perfect! Thanks.