Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mupltiple whitelist in inputs.conf

marco_massari11
Communicator
2 weeks ago

Hello,

I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this:

###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = windows_tmp
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*))
renderXml=false
 
 
I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?
 
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @marco_massari11 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

The whitelist value must be a list of event IDs or one or more key=regex expressions.  The current value is just a regular expression, which is not supported.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marco_massari11
Communicator
2 weeks ago

Hello @richgalloway ,

have you any possible solution?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

I don't really have a solution.  I was going to suggest multiple white lists, but you said that didn't work for you.

Also, you want to filter on AccountName and ObjectName, but those fields are not supported by whitelist/blacklist.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...for the list of supported fields.

Consider ingesting the Windows events in XML format and filtering them using the $XmlRegex key.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata#Use_allow_l... for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @marco_massari11,

at a first sight the regex isn't correct, what does it happen if you try to use it in search using the regex command?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
2 weeks ago

Hello @gcusello ,

you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution?

Regards,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @marco_massari11 ,

identify the three regexes and collect them using .*

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...