topic Re: Blacklist am event code on windows in Getting Data In

Blacklist am event code on windows

irshadrahimbux — Tue, 29 Sep 2020 22:42:52 GMT

Hello All,

I have been trying to blacklist an event code from windows as follows... but the event keep on coming.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="5156"

Grateful to let me know what I am doing wrong.

Rgds.

Re: Blacklist am event code on windows

dkeck — Tue, 15 Jan 2019 16:33:09 GMT

Hi,

I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?

props.conf

 [WinEventLog:Security]

 TRANSFORMS-<name>=<name_in_transforms>

transforms.conf

 [<name_in_transforms>]

 REGEX="EventCode=(4747|5156)"


 DEST_KEY=queue

 FORMAT=nullQueue

If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....] )

Re: Blacklist am event code on windows

irshadrahimbux — Tue, 15 Jan 2019 17:11:49 GMT

Thanks.
Sorry for some silly question. I am using splunk on windows. Where is the transforms.conf and props.conf found?

Also, I read that some are using splunkforwarder. Is that necessary to be used? Or can we add these blacklist / nullqueue to splunk only.

Rgds.

Re: Blacklist am event code on windows

dkeck — Tue, 15 Jan 2019 17:25:40 GMT

you set the nullQueue on your indexer. You can create your own transforms and props in any app you like.

Just place it in $SPLUNK_HOME/splunk/etc/apps/<your app>/local. You would have to create your app and local directory OR you place it in $SPLUNK_HOME/splunk/etc/system/local.

Don´t forget to restart after the changes 😉

Re: Blacklist am event code on windows

irshadrahimbux — Tue, 29 Sep 2020 22:46:28 GMT

I have added props and tranforms.conf in $SPLUNK_HOME/splunk/etc/system/local.

Am having the following error on restarting splunk:

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as emtelorg\emteladmin)
Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\system\local\props.conf, line 3: {{TRANSFORMS- (value: ).
Invalid key in stanza [] in C:\Program Files\Splunk\etc\system\local\transforms.conf, line 3: {{REGEX (value: "EventCode=(5156|4634|4672)").
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-7.2.3-06d57c595b80-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Re: Blacklist am event code on windows

dkeck — Tue, 15 Jan 2019 18:17:05 GMT

sry my anwers above had some formatting issues. Please copy the transforms and props code again I changed it.

don´t forget to change the "<name>" values to your own names.

Re: Blacklist am event code on windows

irshadrahimbux — Tue, 29 Sep 2020 23:11:11 GMT

Hi,

A quick update is that blacklist is working for my localhost events only. Sourcetype for localhost is coming as WinEventLog:Security.
inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 4658

This works perfect and block all 4658 events.

However, I am collecting WMI event log security for other machines. Sourcetype in splunk is "WMI:WinEventLog://Security".
And these are not getting filtered.

P.S. I have splunk 7.2.3

Any ideas on how to make it work.

Rgds,

Re: Blacklist am event code on windows

dkeck — Wed, 16 Jan 2019 07:08:22 GMT

Just add to your inputs stanza for "WMI:WinEventLog://Security" your blacklist = 4658.

Re: Blacklist am event code on windows

irshadrahimbux — Wed, 16 Jan 2019 07:30:13 GMT

Hi Dkeck,

Finally it works. Yes I had to add WMI:WinEventLog://Security and i used the props and transforms as you mentioned above and it works 🙂

Many thanks.

Re: Blacklist am event code on windows

dkeck — Wed, 16 Jan 2019 07:44:44 GMT

Than please be so kind and accept my inital answer 🙂