topic Re: getting bombarded with windows security error code 5156 and 5157 (Win security) in Deployment Architecture

getting bombarded with windows security error code 5156 and 5157 (Win security)

ranjitbrhm1 — Wed, 11 Apr 2018 16:37:41 GMT

Hello All,
I have a distributed system where i have a heavy forwarder collecting traffic from the UF's and forwarding events to the indexer. I have a DMC which is on another server. Currently im getting bombarded with 5156 and 5157 error messages from windows security. Ive read somwhere that i can blacklist the values on inputs.conf. Can someone please let me know on which inputs.conf file on which server i have to do the blacklist on? Alternatively is there any other method to control this constant flow of data?

Re: getting bombarded with windows security error code 5156 and 5157 (Win security)

niketn — Wed, 11 Apr 2018 16:58:26 GMT

@ranjitbrhm1, add the following blacklist to your inputs.conf stanza to filter out events from UF:

blacklist = 5156,5157

Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_the_Security_event_log_to_monitor_changes_to_files

Re: getting bombarded with windows security error code 5156 and 5157 (Win security)

ranjitbrhm1 — Wed, 11 Apr 2018 17:58:12 GMT

Thanks for the answer @niketnilay as always. I really appreciate it. But my main problem is on which %SPLUNK_HOME%\etc\system\local\inputs.conf do i make the changes to ? the app that i use to deploy the inputs.conf to the UF's. The heavy forwarders inputs or the indexers input. Thats the question that is boggling me. I tried sending out this change via the DMC on to the UF's but it does not have any effect it seems.

My inputs.conf file is as below

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 1
start_from = oldest
index = winevents
blacklist = 5156|5157|5158

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[perfmon://Windows__Processor]
counters = *
instances = _Total
interval = 10
object = Processor
index = winevents

[perfmon://Windows__Memory]
counters = Available Bytes
interval = 10

Re: getting bombarded with windows security error code 5156 and 5157 (Win security)

niketn — Wed, 11 Apr 2018 18:57:38 GMT

@ranjitbrhm1, the heavy forwarder should definitely be able to filter, but UF should be able to filter events upfront. If possible test with a standalone machine and Test Splunk server.

You can look into sending unwanted data to nullQueue before indexing, however, I strongly feel this should work. Let me convert my answer to comment for community Splunk experts to weigh in their opinion.

Re: getting bombarded with windows security error code 5156 and 5157 (Win security)

ranjitbrhm1 — Wed, 11 Apr 2018 19:02:11 GMT

As always your help and suggestions are most appreciated. I will spin up a splunk server and a couple of clients and test this out. I myself have a couple of concepts that i need testing as well.
Thanks
/R