Blacklist Event IDs

aihwab1 — Wed, 08 Dec 2021 23:17:19 GMT

Hi all,

I'm new to the back-end configuration of Splunk and I've recently taken over a Splunk instance and I've been tasked with tidying it up a bit. The first thing I noticed is that there is a lot of noise coming in from event ID 5156. So I would like to blacklist this particular ID from coming in.

As my knowledge is somewhat limited to this, the environment has one Heavy Forwarder, and 3 indexers clustered together. When I try to read the configuration of the Universal Forwarder on the Domain Controller there is no outputs.conf in the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory, so I don't know with assurance where the events are being sent.

We have the Splunk Add-on for Microsoft Windows enabled on the HF, indexers and search head. However, I have only made changes to the inputs.conf located in /opt/splunk/etc/apps/splunk_ta_win/local on the HF. I've added the following line:
blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)" as blacklist1 and blacklist2 were already present and I couldn't return a search for these events (Meaning they're being filtered), I also restarted the Splunk service.

I've just run a search for the past few hours and I'm still seeing 5156 come through. Am I doing anything wrong, or do I need to perhaps make the config changes on the Indexers as well? Currently the config for security index looks like this:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true

The other thing that has me confused, is the 5156 events being returned are coming from "XmlWinEventLog:Security" and not "WinEventLog:Security", does Splunk automatically add Xml to the front of the index name is renderXml=true, or was that configured prior? I can't see any Xml event stanzas in this file.

If anyone can direct me on what i'm doing wrong, that would be great. All the Splunk instances I'm referring to are on CentOS, and they're all running 7.3.0. Upgrading to 8 is in the pipeline.

Am I looking in the completely wrong area? IE Outside of the app name? At this point intime I still cannot determine the configuration on the Universal Forwarders and we're there being sent as the outputs.conf doesn't exist.

Re: Blacklist Event IDs

tshah-splunk — Thu, 13 Jan 2022 12:25:10 GMT

Since renderXml is set to true, the sourcetype of your event would be considered as XmlWinEventLog:Security. So, you can define a similar stanza in the local directory of the app with the blacklist setting and you should be good with your objective.

topic Re: Blacklist Event IDs in Getting Data In

Blacklist Event IDs

Re: Blacklist Event IDs