topic Re: Help whitelisting Windows Event IDs in Getting Data In

How to whitelist Windows Event IDs?

lutzmw — Thu, 21 Jul 2022 15:27:25 GMT

I need assistance with whitelisting as I can’t make it work. I’m running the free trial version 9.0.0 of Splunk Enterprise. I have 1 Receiver (on a CentOS VM), and some Windows and CentOS systems (VM’s and physical devices) with the Universal Forwarder installed. I’m getting data in from all my systems. On the Windows systems I only need to see data from select Windows Security Log Events and would like to exclude all other log data/events. I’ve read Splunk’s documentation about whitelisting and I guess I just don’t understand what I’m reading. It doesn’t seem to be working as my license usage hasn’t decreased and/or I don’t know how to verify if it’s working.

I created an inputs.conf file in the following location: /etc/system/local/ on the Universal Forwarders and its content is:

[WinEventLog://Security]

whitelist=1100,1101,1102,4616,4624,4625,4634,4647,4648,4657,4704,4705,4719,4720,4722,4723,4724,4725,4726,4740,4767,4776,4777,4616

Is this correct?

Do I have to put the statement disabled = 0 or is it implied?

I haven’t configured anything through Splunk web, do I need to do that?

Where do I save the inputs.conf file? On the Receiver only, on the Universal Forwarders only, or on both?

Do I need to include all the statements from the default inputs.conf file in my new one?

Besides decreased license usage, is there a way to know if my whitelist is working?

Thank you for any and all help.

Re: Help whitelisting Windows Event IDs

gcusello — Wed, 20 Jul 2022 06:48:23 GMT

Hi @lutzmw,

at first I hint to read https://docs.splunk.com/Documentation/Splunk/latest/Data/AboutWindowsdataandSplunk and search on the YouTube Splunk Channel some video that describes how to ingest windows data.

Anyway, at first, don't create any inputs.conf, but download and install both on Splunk Enterprise and Windows clients the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/) that was created just to input and parse windows logs.

You have only to enable (on the Forwarders) the Wineventlog:Security input: you can do this copying inputs.conf from default to local folder and changing (in local inputs.conf) disabled from 1 to 0 in the wineventlog:security stanza, and restart Splunk on forwarders at the end.

In this way, you'll have all wineventlogs correctly indexed and parsed.

Then, if you want to filter wineventlogs:security logs, you can use (in the Forwarder's local inputs.conf) whitelist or blacklist: you have to add a row to indicate the EventCodes to blacklist or whitelist.

For more infos about this see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.

Ciao.

Giuseppe

Re: Help whitelisting Windows Event IDs

lutzmw — Thu, 21 Jul 2022 13:43:18 GMT

Giuseppe,

Thanks for the response. I haven't had a chance to try your solution but I should be able to try it soon. At the bottom of the default inputs.conf file there's a section that I don't understand. It says # default single instance modular input restarts. Can you explain what this is? It also has a [WinEventLog] entry. Is this where I make the change that's needed or do I place my whitelist further up in the file. Thanks again

Mike

Re: Help whitelisting Windows Event IDs

gcusello — Thu, 21 Jul 2022 14:55:36 GMT

Hi @lutzmw,

sorry but I download the latest version of this TA and I didn't find the section you mentioned!

could you share it?

Ciao.

Giuseppe

Re: Help whitelisting Windows Event IDs

lutzmw — Thu, 21 Jul 2022 17:19:39 GMT

The section I'm asking about is in the default inputs.conf file. It's on the last page of the attached pdf. Thanks for your help.

Re: Help whitelisting Windows Event IDs

gcusello — Fri, 22 Jul 2022 08:40:15 GMT

Hi @lutzmw,

we're speaking of two different things:

I'm speaking of the last Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742/) and its last release is 8.5;

instead you're speaking of the inputs.conf in $SPLUNK_HOME/etc/system/default, in other words the default inputs.conf of Splunk.

This means that your file is the inputs.conf that you find by default in Splunk and the inputs you're speaking are the modular inputs present by default in Splunk and that you can see in the GUI.

Ciao.

Giuseppe