https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265906#M50973 <P>I am working with a customer that is trying to narrow down their Windows Security logs. They would like to isolate the Event Code to only 4732,4624, while excluding Logon Type "3" and the list of Account Names. This stanza does not seem to be working and I was hoping someone might be able to assist with either cleaning it up or suggesting a better solution.</P> <PRE><CODE>[WinEventLog://Security] whitelist1 = 4732,4624 disabled = 0 followTail = 0 index = xxxxx ignoreOlderThan = 2d sourcetype=xxxx_wineventlog_sec blacklist1 = Message="Logon\sType:\s+(3|(\w+\$))" blacklist2 = Message="Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$))" </CODE></PRE> <P>Thank you.</P> Wed, 19 Oct 2016 18:29:11 GMT CaptainHook 2016-10-19T18:29:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265906#M50973 <P>I am working with a customer that is trying to narrow down their Windows Security logs. They would like to isolate the Event Code to only 4732,4624, while excluding Logon Type "3" and the list of Account Names. This stanza does not seem to be working and I was hoping someone might be able to assist with either cleaning it up or suggesting a better solution.</P> <PRE><CODE>[WinEventLog://Security] whitelist1 = 4732,4624 disabled = 0 followTail = 0 index = xxxxx ignoreOlderThan = 2d sourcetype=xxxx_wineventlog_sec blacklist1 = Message="Logon\sType:\s+(3|(\w+\$))" blacklist2 = Message="Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$))" </CODE></PRE> <P>Thank you.</P> Wed, 19 Oct 2016 18:29:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265906#M50973 CaptainHook 2016-10-19T18:29:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265907#M50974 <P>In which way is not working? Is neither filter working? Or one but not the other? </P> <P>I'm not sure if/how relevant, but the documentation mentions putting delimiters around the regex expression.</P> <PRE><CODE>* key=regex format * A whitespace-separated list of event log components to match, and regexes to match against against them. * There can be one match expression or multiple per line. * The key must belong to the set of valid keys provided below. * The regex consists of a leading delimiter, the regex expression, and a trailing delimeter. Examples: %regex%, *regex*, "regex" * When multiple match expressions are present, they are treated as a logical AND. In other words, all expressions must match for the line to apply to the event. * If the value represented by the key does not exist, it is not considered a match, regardless of the regex. * Example: whitelist = EventCode=%^200$% User=%jrodman% Include events only if they have EventCode 200 and relate to User jrodman </CODE></PRE> Wed, 19 Oct 2016 22:22:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265907#M50974 maciep 2016-10-19T22:22:59Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265908#M50975 <P>It seems as if the filter for the logon type and the Account name work separately, but together they do not.</P> Thu, 20 Oct 2016 13:38:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265908#M50975 CaptainHook 2016-10-20T13:38:39Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265909#M50976 <P>The documentation does say that they would be AND'd together. So if both blacklist entries are there, are Logon Type 3 events excluded for those particular users? That's the way I think it would work.</P> <P>Not sure what the solution would be, maybe find a way to whitelist one of those conditions instead? For example, whitelist any Messages that don't equal Logon Type 3? </P> Thu, 20 Oct 2016 14:36:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265909#M50976 maciep 2016-10-20T14:36:42Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265910#M50977 <P>I think the issue is that the <CODE>Message</CODE> field contains more than just the Logon or the Account Name. If there's other stuff in the Message then I think you need to say that in the regex:</P> <PRE><CODE> blacklist1 = Message=".*Logon\sType:\s+(3|(\w+\$)).*" blacklist2 = Message=".*Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$)).*" </CODE></PRE> <P>See the <CODE>.*</CODE> before and after?</P> Thu, 20 Oct 2016 21:30:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265910#M50977 sloshburch 2016-10-20T21:30:31Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265911#M50978 <P>I think I misread the documentation, so you can ignore the comment about them being AND'd together. I think that is only if multiple expression in one blacklist entry.</P> Thu, 20 Oct 2016 23:29:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265911#M50978 maciep 2016-10-20T23:29:18Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265912#M50979 <P>Sorry for the delayed response...<BR /> This is not working either; I am starting to think this may need to be handled from another approach. The whitelist for !=LogonType 3 sounds interesting, but I am not certain on how to write that in. Any suggestions there? Thank you.</P> Fri, 28 Oct 2016 14:27:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265912#M50979 CaptainHook 2016-10-28T14:27:52Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265913#M50980 <P>This is the configuration that I have been able to get working. I appreciate all the assistance as this literally came down to trial and error.</P> <P>whitelist1 = 4732,4624<BR /> blacklist = Message="Logon\sType:\t+3"<BR /> blacklist1 = Message="Account\sName:\t+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible)"</P> <P>Thank you.</P> Sat, 29 Oct 2016 13:45:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265913#M50980 CaptainHook 2016-10-29T13:45:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265914#M50981 <P>Some regex tools: <A href="http://www.regexr.com/">http://www.regexr.com/</A> and <A href="https://regex101.com/">https://regex101.com/</A></P> Mon, 31 Oct 2016 16:54:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/265914#M50981 sloshburch 2016-10-31T16:54:03Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/538640#M90251 <P>This was the trick for me :&nbsp;</P><P>it worked when I added % arround my regex like follow :&nbsp;%&lt;Data Name='LogonType'&gt;3&lt;\/Data&gt;%</P> Thu, 04 Feb 2021 16:18:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-Logon-Type-3-and-Account-Names-in-Windows/m-p/538640#M90251 fulldanad 2021-02-04T16:18:52Z