topic Re: How to blacklist inputs.conf? in Getting Data In

How to blacklist inputs.conf?

garrywilmeth — Tue, 24 May 2022 00:33:43 GMT

Hello,

We have a rather noisy agent that is logging about 19GB of data daily. How can I filter the following from the inputs.conf?

Process Information:

Process ID: 0x1450

Process Name: C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.1.5.14\ir_agent.exe

Thanks,

Garry

Re: How to blacklist inputs.conf?

gcusello — Tue, 24 May 2022 06:48:57 GMT

Hi @garrywilmeth,

if you're speaking of Wineventlog, you can blacklist some EventCode in the inputs.conf; for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf

In few words, put in the winevenlog stanza

# Filtering at the input layer is desirable to reduce the total # processing load in network transfer and computation on the Splunk platform # nodes that acquire and processing Event Log data. blacklist = <list of eventIDs> | key=regex [key=regex]

If instead it's another kind of data source, you have to filter your data on the Indexers or (if present) on Heavy Forwarders following the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues

In few words, if you need to discard only some data (the ones with the string "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.1.5.14\ir_agent.exe") you have to put in props.conf:

[source::/var/log/messages] TRANSFORMS-null= setnull

and in transforms.conf

[setnull] REGEX = C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\3.1.5.14\\ir_agent.exe DEST_KEY = queue FORMAT = nullQueue

and restart Splunk.

Ciao.

Giuseppe

Re: How to blacklist inputs.conf?

garrywilmeth — Tue, 24 May 2022 13:12:28 GMT

Hello @gcusello,

Thank you for the reply. Yes, the events are from the Windows Event Security log. I don't want to filter all 4703 events coming from the windows event log, only those also containing IR_agent.exe. As far as the path for the agent, the filename IR_agent.exe is constant where the path contains the version number and changes when the agent is upgraded.

Can this be done at the inputs.conf level?

Thanks,

Garry

Re: How to blacklist inputs.conf?

gcusello — Tue, 24 May 2022 13:27:38 GMT

Hi @garrywilmeth,

yes, you can, as you can see in the inputs.conf documentation, you have:

blacklist = <list of eventIDs> | key=regex [key=regex]

you can blacklist an EventCode or a regex in inputs.conf.

Ciao.

Giuseppe

Re: How to blacklist inputs.conf?

garrywilmeth — Tue, 24 May 2022 15:11:45 GMT

Something like this?

blacklist = EventCode=“4703” Message=“\\ir_agent.exe”

Re: How to blacklist inputs.conf?

gcusello — Tue, 24 May 2022 15:40:48 GMT

Hi @garrywilmeth,

check the regex in Splunk indexed data, if this regex match the events to discard you can apply it to blacklist.

Ciao.

Giuseppe