topic Wineventlog Filtration in Splunk Enterprise

Wineventlog Filtration

anandhalagaras1 — Wed, 21 Apr 2021 05:42:03 GMT

Hi All,

Based on this query I want to filter out wineventlog before ingesting into Splunk. So that i can save some licenses. So the condition is something like for two of the sourcetypes and for the particular eventcodes (4624,4634) I want to filter out if the logs comes from Account Name= - & *$ for the particular set of hosts.

index=abc sourcetype IN (winev,wind) EventCode IN (4624,4634) Account_Name="-" Account_Name="*$" host=*xyz*

So do we need to write the blacklist stanza in the inputs.conf file or do we need to specify the props and transforms separately.

Actually for all Windows client machines we are ingesting the wineventlog with the help of Deployment master server.

So from Deployment master server we used to push the configurations to all windows machines so kindly help with the stanza for the same.

Re: Wineventlog Filtration

scelikok — Wed, 21 Apr 2021 06:08:38 GMT

Hi @anandhalagaras1,

You can use blacklist on your inputs like below, but this will not filter on host base. You may think about sending this stanza to specific hosts by creating a separate serverclass.

[WinEventLog:Security] blacklist1 = EventCode = "4624" Message = "Account Name:\s+-" blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"

Re: Wineventlog Filtration

anandhalagaras1 — Wed, 21 Apr 2021 07:57:11 GMT

@scelikok

Thank you for your response. So i have created an app and enter the blacklist as mentioned below and planning to deploy for those particular hosts as you have explained.

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1 = EventCode = "4624" Message = "Account Name:\s+-"
blacklist2 = EventCode = "4624" Message = "Account Name:\s+*\$"
blacklist3 = EventCode = "4634" Message = "Account Name:\s+-"
blacklist4 = EventCode = "4634" Message = "Account Name:\s+*\$"
renderXml=0
index = abc

But already I can see there is one inputs.conf file for [WinEventLog://Security] and there are around 10 blacklist mentioned for those [WinEventLog://Security] and these 10 blacklist is getting deployed to all the Windows client machines since in serverclass.conf file and i can see that they have whitelist as * for the hosts. So its deployed to all windows client machines.

So as mentioned above, If i deploy the Recently created app for the set of servers & for the eventcode (4624, 4634) will it affect the existing blacklist which is already present (i.e. 10 blacklist) since both of the source are same [WinEventLog://Security].

Kindly help to confirm the same. So based on that i will plan and deploy it.

Re: Wineventlog Filtration

anandhalagaras1 — Wed, 21 Apr 2021 09:10:21 GMT

@scelikok ,

Now I have created an app and deployed for those servers alone by mentioning in the serverclass.conf file but still I can see the logs are still getting ingested into Splunk.

So is there anything which I am missing.

I have also restarted the splunk services in all those client machines. But still I can see the logs are ingesting into Splunk.

So is it because of another inputs which is already present for the same source so is it not working? Kindly help me on the same.

Re: Wineventlog Filtration

anandhalagaras1 — Thu, 22 Apr 2021 02:14:31 GMT

@scelikok

Can you kindly check and help me out on the same.