topic Re: Heavy Forwarder Pulling Windows events: blacklist not working in Getting Data In

Heavy Forwarder Pulling Windows events: blacklist not working

klutzen — Tue, 29 Sep 2020 06:55:26 GMT

Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder.

my inputs.conf is:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
blacklist = 5152-5158
suppress_text = 1
...

And I've also tried

[WMI:WinEventLog:Security]
blacklist = 5156-5158
disabled = false
suppress_text = 1

and many variations on the source. The blacklist and suppress_text are doing nothing. I still get firewall events I don't want to see.

Suggestions please.

Re: Heavy Forwarder Pulling Windows events: blacklist not working

woodcock — Wed, 05 Aug 2015 22:25:05 GMT

This looks all good to me (you do not need the disabled line at all, BTW); did you restart your Splunk instances on your Forwarders?

Re: Heavy Forwarder Pulling Windows events: blacklist not working

klutzen — Wed, 05 Aug 2015 22:38:15 GMT

That's just it: I'm using the Heavy Forwarder to pull the logs via WMI from the Windows machines. There are no other forwarders. It appears that when pulling from WMI only, blacklist and the suppress_text aren't available. I will see what the universal forwarder does in a bit.

Thanks for the comment though.

Re: Heavy Forwarder Pulling Windows events: blacklist not working

klutzen — Wed, 05 Aug 2015 23:31:46 GMT

Restarting splunk in a command prompt: Invalid key stanza for the blacklist line

Well, now I know why its not working. It's being ignored.

Now how do I fix it?

Re: Heavy Forwarder Pulling Windows events: blacklist not working

klutzen — Thu, 06 Aug 2015 00:13:20 GMT

Added the Splunk for windows add-on. Ok blacklist stanza error is now gone. Blacklist in inputs.conf

is
[WinEventLog://Security]
blacklist = 5156-5158

Accepted, but not working. Logs come through. Suspect it's because I'm pulling via WMI and its bypassing the rule

Re: Heavy Forwarder Pulling Windows events: blacklist not working

woodcock — Thu, 06 Aug 2015 02:32:45 GMT

It would help if you posted the exact error log text but if it is as you are saying then my guess is that you are using an older version of splunk that does not support that blacklist format. I say this because the documentation for the latest version of Splunk clearly supports it:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Monitorwindowsdata#Use_the_Security_event_log_to_monitor_changes_to_files

Either that or you do not have a proper Heavy Forwarder binary installed (maybe Splunk makes the Universal/Light Forwarder treat incompatible settings as though they are nonsensical, which is what this log is saying).

Re: Heavy Forwarder Pulling Windows events: blacklist not working

klutzen — Thu, 06 Aug 2015 04:38:04 GMT

Well, you clearly missed that I was running 6.2.4. Unless there is a secret version, it clearly does not work with 6.2.4 and the Heavy Forwarder pulling the logs from the Windows systems and applying the blacklist rules. Something is wrong here.