topic Re: How to blacklist Windows security events? in Getting Data In

How to blacklist Windows security events?

kpavan — Thu, 04 Sep 2014 06:22:53 GMT

Hi All,

We are running splunk-6.0.3-204106 version, now we are seeing high Splunk license usage from Windows Security events. So I would like to block these events. I tried below blacklist with ref blog but its not filtering any events. Please help me on how to fix this issue.

[WinEventLog:Security]
disabled = false
blacklist = 4720, 4722, 4723, 4724, 4725, 4726, 4719, 4734, 4735, 4737, 4897, 4738, 4782, 4749, 4625, 4771, 4624

Thanks!

Re: How to blacklist Windows security events?

bgaignon — Thu, 04 Sep 2014 07:36:53 GMT

Hi,
I guess you used this post to help: http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

It looks correct.

Did you push this config on your Indexer AND Forwarder ?
Did you restart your servers ?
Do you have another stanza about WinEventLog that can overwrite this one ?

Re: How to blacklist Windows security events?

kpavan — Thu, 04 Sep 2014 10:27:19 GMT

Hi,

I did configured on indexer inputs.conf and restarted the servers as well. And there are no stanza in indexer to overwrite this one.

i just have below configs in indexer, is there any mistake in my configs.

[default]
host = splunk-index-dev-1

[WinEventLog:System]
disabled = false
blacklist = 7036

Thanks!

Re: How to blacklist Windows security events?

ppablo — Thu, 04 Sep 2014 17:51:49 GMT

Hi @kpavan

Correct me if I'm wrong, but from your post and this most recent comment, it sounds like you only configured inputs.conf on the indexer? I read through the comments thread on that blog and the writer states in the 2nd to last comment that this configuration works on the forwarder.

Re: How to blacklist Windows security events?

kpavan — Mon, 08 Sep 2014 17:41:30 GMT

Hi,

Sorry for the delay in response!

Yes, I have configured on indexer server. Now I got to know this configure works on Universal forwarder only. Sorry for my mistake.

Could you please let me know how to block from indexer level, because I have 300+ host's sending the logs to splunk and it is eating my license very much.

Please help me on this issue.

Thanks in advance!

Re: How to blacklist Windows security events?

bgaignon — Tue, 09 Sep 2014 09:32:23 GMT

So you don't have any forwarder on your 300 hosts?

If you have a distributed environment and a forwarder on every host, you can easily create a configuration to push on all your hosts using serverclass.conf.

If you receive your data directly on a port (like 9997), it works the same way: In your stanza that applies just add the blacklist feature.

Is it helpful?

Re: How to blacklist Windows security events?

kpavan — Tue, 09 Sep 2014 13:20:18 GMT

Hi,

We have UF installed all 300 servers and all the 300 windows serves are sending the security logs, so now i wanted to put a blacklist on indexer to block the all the logs which are coming. Since configuring on all the UF will be time consuming. Please suggest me with configurations how can achieve this task.

And also help me, if I want to block the specific IP can I block on indexer?

Thanks!

Re: How to blacklist Windows security events?

bgaignon — Tue, 09 Sep 2014 13:36:29 GMT

Hum I can't help on this specific need sorry.

My only solution is: Deployment Server
I would create an application with the stanza that blacklist EventCodes. Then use the deployment feature of Splunk to push this application on all my forwarders.
You need a licence to create a deployment server

Doc: http://docs.splunk.com/Documentation/Splunk/6.1.3/Updating/Extendedexampledeployseveralstandardforwarders
http://wiki.splunk.com/Deploy:DeploymentServer

Re: How to blacklist Windows security events?

bgaignon — Tue, 09 Sep 2014 13:38:30 GMT

If you want to block a specific IP or a host you can also use the nullqueue instead of blacklist.
It simple to configure: http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue