topic Filtering Windows Security Events based on blacklist in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-Security-Events-based-on-blacklist/m-p/239494#M46545 <P>Hello<BR /> I am using Splunk UF 6.1.4 on my Windows Domain controllers to monitor windows events. I've put in place a working blacklist to filter out a number of events and that works fine. The issue I have is I also want to filter out an EventCode 4776 where the Error_Cdoe is 0x0</P> <P>**[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> index = soc<BR /> ignoreOlderThan = 2d</P> <H1>whitelist = Category=9</H1> <P>blacklist1 = 4624,4634,4658,4656,4690,4661,4662,5136,5137,538,675,540,566,565,562<BR /> blacklist2 = EventCode="4776" Error_Code="0x0"**</P> <P>As I say the blacklist1 list works, </P> <P>Or should I be setting blacklist2 to <BR /> <STRONG>blacklist2 = EventCode="4776" Message="Error Code:*0x0"</STRONG></P> Tue, 29 Sep 2020 07:22:13 GMT jasonheb 2020-09-29T07:22:13Z Filtering Windows Security Events based on blacklist https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-Security-Events-based-on-blacklist/m-p/239494#M46545 <P>Hello<BR /> I am using Splunk UF 6.1.4 on my Windows Domain controllers to monitor windows events. I've put in place a working blacklist to filter out a number of events and that works fine. The issue I have is I also want to filter out an EventCode 4776 where the Error_Cdoe is 0x0</P> <P>**[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> index = soc<BR /> ignoreOlderThan = 2d</P> <H1>whitelist = Category=9</H1> <P>blacklist1 = 4624,4634,4658,4656,4690,4661,4662,5136,5137,538,675,540,566,565,562<BR /> blacklist2 = EventCode="4776" Error_Code="0x0"**</P> <P>As I say the blacklist1 list works, </P> <P>Or should I be setting blacklist2 to <BR /> <STRONG>blacklist2 = EventCode="4776" Message="Error Code:*0x0"</STRONG></P> Tue, 29 Sep 2020 07:22:13 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-Security-Events-based-on-blacklist/m-p/239494#M46545 jasonheb 2020-09-29T07:22:13Z Re: Filtering Windows Security Events based on blacklist https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-Security-Events-based-on-blacklist/m-p/239495#M46546 <P>Ok sorted it - The Message needs to include the line for the Error Code<BR /> In this case I went for simple exact string match which worked fine<BR /> blacklist2 = EventCode="4776" Message="Error Code: 0x0"</P> Fri, 25 Sep 2015 02:13:25 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Windows-Security-Events-based-on-blacklist/m-p/239495#M46546 jasonheb 2015-09-25T02:13:25Z