https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220005#M43224 <P>I believe that I may have captured the events with this:</P> <H1>Windows platform specific input processor.</H1> <P>[WinEventLog://Security] <BR /> disabled = 0 <BR /> index = certification<BR /> blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"</P> <P>Thank you for all the help. As always, the collaboration is greatly appreciated!!!</P> Wed, 22 Jun 2016 15:33:11 GMT CaptainHook 2016-06-22T15:33:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219995#M43214 <P>I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 index = "index" sourcetype = "sourcetype" blacklist = Account_Name=name1| name2|name3|name4|name5 </CODE></PRE> <P>Thank you in advance.</P> Wed, 15 Jun 2016 18:46:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219995#M43214 CaptainHook 2016-06-15T18:46:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219996#M43215 <P>Try this instead:</P> <PRE><CODE> blacklist1 = Account_Name="name1|name2|name3|name4|name5" </CODE></PRE> <P>Also, I would not change the <CODE>sourcetype</CODE> unless absolutely necessary.</P> Wed, 15 Jun 2016 20:22:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219996#M43215 woodcock 2016-06-15T20:22:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219997#M43216 <P>Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.</P> Wed, 15 Jun 2016 21:10:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219997#M43216 CaptainHook 2016-06-15T21:10:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219998#M43217 <P>Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution? </P> Thu, 16 Jun 2016 19:20:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219998#M43217 CaptainHook 2016-06-16T19:20:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219999#M43218 <P>You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.</P> Thu, 16 Jun 2016 19:22:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/219999#M43218 woodcock 2016-06-16T19:22:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220000#M43219 <P>I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.</P> Fri, 17 Jun 2016 00:17:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220000#M43219 CaptainHook 2016-06-17T00:17:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220001#M43220 <P>Try removing the double-quotes.</P> Fri, 17 Jun 2016 03:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220001#M43220 woodcock 2016-06-17T03:36:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220002#M43221 <P>Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?</P> Fri, 17 Jun 2016 12:14:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220002#M43221 CaptainHook 2016-06-17T12:14:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220003#M43222 <P>I'm reading the <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/admin/Inputsconf" target="_blank">inputs.conf</A> and <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata" target="_blank">referenced Windows</A> docs now. A couple thoughts crossed my mind:</P> <OL> <LI>Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.</LI> <LI>The inputs.conf docs imply that Account_Name isn't a valid key to match on in the blacklist. Check the list of valid Keys (the Account_Name part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata</A> . You might want to explore the 'User' or the 'Message' fields if you agree that Account_Name is not an option. Don't forget regex to match anything before/after the value of the Account_Name - I can support you on that if unclear but I know you'd like to give it a try on your own first.</LI> </OL> Tue, 29 Sep 2020 10:01:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220003#M43222 sloshburch 2020-09-29T10:01:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220004#M43223 <P>Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Thanks again.</P> Wed, 22 Jun 2016 12:12:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220004#M43223 CaptainHook 2016-06-22T12:12:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220005#M43224 <P>I believe that I may have captured the events with this:</P> <H1>Windows platform specific input processor.</H1> <P>[WinEventLog://Security] <BR /> disabled = 0 <BR /> index = certification<BR /> blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"</P> <P>Thank you for all the help. As always, the collaboration is greatly appreciated!!!</P> Wed, 22 Jun 2016 15:33:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220005#M43224 CaptainHook 2016-06-22T15:33:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220006#M43225 <P>Perfect. That's exactly what I was thinking!</P> Wed, 22 Jun 2016 20:46:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-WinEventLog-blacklist-configuration-to-exclude/m-p/220006#M43225 sloshburch 2016-06-22T20:46:02Z