<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239196#M46488</link>
    <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I am using Splunk Enterprise 6.2.3 Universal Forwarder to monitor events from the Security log on a Windows server.  I need to be able to blacklist all events with SourceName = "Microsoft Windows security auditing." and SourceName="Microsoft-Windows-Eventlog".  Can this be done?   I can blacklist EventCode with a UF but the SourceName doesn't seem to work.  Thanks!&lt;/P&gt;

&lt;P&gt;This works...&lt;/P&gt;

&lt;P&gt;[WinEventLog://Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
evt_resolve_ad_obj = 1&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
blacklist1 = EventCode="4747"&lt;BR /&gt;
blacklist2 = EventCode="4858"&lt;/P&gt;

&lt;P&gt;This does not...&lt;/P&gt;

&lt;P&gt;[WinEventLog://Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
evt_resolve_ad_obj = 1&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
blacklist1 = SourceName="Microsoft-Windows-Eventlog"&lt;BR /&gt;
blacklist2 = SourceName="Microsoft Windows security auditing."&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 07:22:07 GMT</pubDate>
    <dc:creator>Magnus_001</dc:creator>
    <dc:date>2020-09-29T07:22:07Z</dc:date>
    <item>
      <title>Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239196#M46488</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I am using Splunk Enterprise 6.2.3 Universal Forwarder to monitor events from the Security log on a Windows server.  I need to be able to blacklist all events with SourceName = "Microsoft Windows security auditing." and SourceName="Microsoft-Windows-Eventlog".  Can this be done?   I can blacklist EventCode with a UF but the SourceName doesn't seem to work.  Thanks!&lt;/P&gt;

&lt;P&gt;This works...&lt;/P&gt;

&lt;P&gt;[WinEventLog://Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
evt_resolve_ad_obj = 1&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
blacklist1 = EventCode="4747"&lt;BR /&gt;
blacklist2 = EventCode="4858"&lt;/P&gt;

&lt;P&gt;This does not...&lt;/P&gt;

&lt;P&gt;[WinEventLog://Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
evt_resolve_ad_obj = 1&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
blacklist1 = SourceName="Microsoft-Windows-Eventlog"&lt;BR /&gt;
blacklist2 = SourceName="Microsoft Windows security auditing."&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 07:22:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239196#M46488</guid>
      <dc:creator>Magnus_001</dc:creator>
      <dc:date>2020-09-29T07:22:07Z</dc:date>
    </item>
    <item>
      <title>Re: Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239197#M46489</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;

&lt;P&gt;I got it to work by adding a regex statement to the blacklist.&lt;/P&gt;

&lt;P&gt;[WinEventLog://Security]&lt;BR /&gt;
disabled = 0&lt;BR /&gt;
start_from = oldest&lt;BR /&gt;
current_only = 0&lt;BR /&gt;
evt_resolve_ad_obj = 1&lt;BR /&gt;
checkpointInterval = 5&lt;BR /&gt;
blacklist = SourceName="^Microsoft.*$"&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 07:23:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239197#M46489</guid>
      <dc:creator>Magnus_001</dc:creator>
      <dc:date>2020-09-29T07:23:14Z</dc:date>
    </item>
    <item>
      <title>Re: Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239198#M46490</link>
      <description>&lt;P&gt;I wonder, does it see the "." in your blacklist2 item and believes that's a regex?  &lt;/P&gt;

&lt;P&gt;It may be worth trying one of the following:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing\."
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;or&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I really don't know precisely HOW it determines if your lines fits the non-regex or the regex filtering way.  (&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Monitorwindowsdata"&gt;As per docs&lt;/A&gt;)&lt;/P&gt;</description>
      <pubDate>Thu, 24 Sep 2015 23:49:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-blacklist-a-SourceName-on-a-Windows-Security-Log-event/m-p/239198#M46490</guid>
      <dc:creator>Richfez</dc:creator>
      <dc:date>2015-09-24T23:49:20Z</dc:date>
    </item>
  </channel>
</rss>

