topic Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf? in Getting Data In

Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Thu, 29 Nov 2018 20:07:20 GMT

Hello,

I am trying to blacklist EventCode 5152 in inputs.conf. I have tried putting it in a different order in the list below (blacklist, blacklist3, blacklist5), and that didn't work. I have tried with the current message setting as well as typing out the message and that did not help. The other events listed are currently being blocked correctly. My current version of Splunk is 7.0.0. Any help would be appreciated.

From the inputs.conf file:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
blacklist = EventCode="5152" Message="*"
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4932" Message="*"
blacklist4 = EventCode="4933" Message="*"

From Splunk search

11/29/2018 01:44:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5152
EventType=0
Type=Information
ComputerName=XXX.northgrum.com
TaskCategory=Filtering Platform Packet Drop
OpCode=Info
RecordNumber=36423970
Keywords=Audit Failure
Message=The Windows Filtering Platform has blocked a packet.

Application Information:

Process ID:     0
    Application Name:   -

Network Information:

Direction:      Inbound
    Source Address:     XXX
    Source Port:        8080
    Destination Address:    XXX
    Destination Port:       64430
    Protocol:       6

Filter Information:

Filter Run-Time ID: 70679
    Layer Name:     Transport
    Layer Run-Time ID:  13

EventCode = 5152

host =  XXX 
    source =    WinEventLog:Security        
    sourcetype =    WinEventLog:Security

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

prakash007 — Fri, 30 Nov 2018 03:19:57 GMT

How about a tweak in the order of blacklist...

 blacklist1 = EventCode="5152" Message="*"
 blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
 blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
 blacklist4 = EventCode="4932" Message="*"
 blacklist5 = EventCode="4933" Message="*"

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

dkeck — Fri, 30 Nov 2018 06:45:52 GMT

Hi,

I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?

props.conf

[WinEventLog:Security]

{{TRANSFORMS-<name>=<name_in_transforms>

}}

transforms.conf

[<name_in_transforms>]

{{REGEX="EventCode=(4662|4634|4672)"
}}

DEST_KEY=queue

FORMAT=nullQueue

If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s) infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....] )

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Fri, 30 Nov 2018 20:11:29 GMT

Which props.conf file do I modify? There are several on the host machine.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

woodcock — Fri, 30 Nov 2018 23:44:16 GMT

Did you deploy this to all of your forwarders and restart the Splunk instances there?

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

dkeck — Tue, 04 Dec 2018 12:12:11 GMT

You can set up a knew app for this to include your /local/props.conf and /local/transforms. Then deploy it to your Indexer

Or there is already an app working with WinEventLog:Security, so you could add it there.

Please note that you have to eddit two conf files transforms.conf and props.conf

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Tue, 04 Dec 2018 21:15:33 GMT

Moving it to the top was unsuccessful. I tried restarting the service and still did not work.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Tue, 04 Dec 2018 21:26:59 GMT

What is the location of the props.conf and transform.conf files I am to modify? c:\program file\splunk...
My host server is generating 100k of these events every day so I would like to start on this server.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

dkeck — Thu, 06 Dec 2018 08:52:43 GMT

you have to create these files yourself on the indexer ( or on the master and apply a new bundle if you have a cluster)

set up a new app, with a local directory.

Create props.conf and transforms.conf.

Add and eddit the content I postet above and save the files.

Restart splunkd

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Thu, 06 Dec 2018 21:07:21 GMT

I created these two files like you requested. I added a |5152 in the transforms.conf file. I placed them in the Splunk\etc folder.

What you mean by setting up a new app with a local directory?

I restarted splunkd and it still was not working.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

dkeck — Tue, 29 Sep 2020 22:21:59 GMT

You propably want to gain some knowledge about apps first before continuing.

Please tell me how your enviroment looks like, do you have a standalone Splunk instance or several with different roles? ( Search Head, Indexer etc.)

In general you will create an app in $SPLUNK_HOME/etc/apps/. Create an new folder in apps with the name of your app. Lets call it "my_first_app".

So we have $SPLUNK_HOME/etc/apps/my_first_app. Next you need to create an "local" directory in my_first_app. So $SPLUNK_HOME/etc/apps/my_first_app/local. Within local you place your transforms and props.conf.

Please post how your conf files look like now. maybe theres an error in there as well.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

petom — Fri, 07 Dec 2018 07:15:57 GMT

As per inputs.conf try this:

  blacklist1 = EventCode="5152"
  blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist4 = EventCode="4932"
  blacklist5 = EventCode="4933"

or simply just:

  blacklist1 = 5152,4932,4933
  blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
  blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

vinod94 — Fri, 07 Dec 2018 08:04:04 GMT

You can try for one Event Code,

[WinEventLog://Security]
 disabled = 0
 start_from = oldest
 current_only = 0
 evt_resolve_ad_obj = 1
 checkpointInterval = 5
 index = wineventlog
 blacklist1 = 5152

If you have multiple evencodes, you can put blacklist1 = 5152,4662
Let me know if this works.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Mon, 10 Dec 2018 18:09:58 GMT

I tried as you suggested and it did not work. I then tried with spaces between the commas and with quotes around each number and it did not work. I restarted Splunkd service each time.

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Mon, 10 Dec 2018 19:47:59 GMT

Before I respond to you questions, I think I have uncovered something.

The blacklisting 'seems' to be working, but not on the events occurring on the host server. Initially, I was just looking at events, but then I realized the events were only coming from one server and that was the host.

Is there something Splunk related I need to do from the host server to keep from this event getting into the index?

Re: Why can't I blacklist Windows Security EventCode 5152 in inputs.conf?

bwaldren — Mon, 10 Dec 2018 19:49:08 GMT

Also, as a test, I removed the blacklisting event and I got this event from multiple servers.