https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431098#M75452 <P>Thanks for the help Jacob but there are some issues with your regex statements.</P> <P>Yes I have my blacklists setup sequentially in the inputs.conf. I was also using examples from the Splunk_TA_windows inputs.conf.</P> <P>The first one says it should be both processes which it technically should be one of the two.</P> <P>Your second one puts an OR in between the account name and the process name which wouldn't work either.</P> <P>I just tried the below without capture groups:</P> <P>blacklist7 = EventCode="4674" Message="Account Name:.+slwprdadmin.+Process Name:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"</P> <P>Still doesn't work</P> <P>I have these other blacklists that work fine so this doesn't make any sense to me.</P> <P>blacklist5 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:SplunkUniversalForwarder\bin\btool.exe)|.+(?:Splunk\bin\splunk.exe)|.+(?:Splunk\bin\splunkd.exe)|.+(?:Splunk\bin\btool.exe)|.+(?:Agent\MonitoringHost.exe)"</P> Wed, 30 Sep 2020 01:41:44 GMT adalbor 2020-09-30T01:41:44Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431094#M75448 <P>Hey All,<BR /> I am looking to add a blacklist entry to our inputs for our Windows UF's that would blacklist based on the event code, a process name (with wildcard path), and a specific account name.</P> <P>Would it be as simple as?:<BR /> blacklist = EventCode="4674" User="user" Process_Name="*\blah.exe"</P> <P>Or would I need a regex with user and process name trying to match on the message field?</P> <P>Ive written some with Event Code and Process Name but never specific enough with a user.</P> <P>Thanks!<BR /> Andrew</P> Wed, 07 Aug 2019 17:36:13 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431094#M75448 adalbor 2019-08-07T17:36:13Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431095#M75449 <P>Or should it look like this?</P> <P>EventCode="4674" Message="(?:Account\sName:\s+ACCOUNTNAME).+(?:Process\sName:\s+?:\wbem\WmiPrvSE.exe)</P> Wed, 07 Aug 2019 17:59:43 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431095#M75449 adalbor 2019-08-07T17:59:43Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431096#M75450 <P>This by all knowledge appears it should work but it doesnt. Any ideas?</P> <P>blacklist7 = EventCode="4674" Message="(?:Account Name:.+ACCOUNT).+(?:Process Name:).+(?:\Windows\SysWOW64\wbem\WmiPrvSE.exe)|.+(?:\Windows\System32\wbem\WmiPrvSE.exe)"</P> <P>This matches most of the message in 2 regex tools.</P> Wed, 07 Aug 2019 19:39:22 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431096#M75450 adalbor 2019-08-07T19:39:22Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431097#M75451 <P>This is copied directly from the latest <A href="https://splunkbase.splunk.com/app/742/" target="_blank">Splunk_TA_windows</A> default <CODE>inputs.conf</CODE></P> <PRE><CODE>[WinEventLog://Security] blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist1 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" </CODE></PRE> <P>Hope that helps. The only thing I can think of for your example is to remove the capturing groups since they aren't doing anything as far as I can tell. I'm also assuming you have blacklist1 through blacklist6 defined sequentially.</P> <P>Either:<BR /> <CODE>blacklist7 = EventCode="4674" Message="Account Name:.+ACCOUNT.+Process Name:.+\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe.+\\Windows\\System32\\wbem\\WmiPrvSE.exe"</CODE><BR /> or<BR /> <CODE>blacklist7 = EventCode="4674" Message="(?:Account Name:.+ACCOUNT|Process Name:|\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe|\\Windows\\System32\\wbem\\WmiPrvSE.exe)"</CODE></P> Wed, 30 Sep 2020 01:41:33 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431097#M75451 jacobpevans 2020-09-30T01:41:33Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431098#M75452 <P>Thanks for the help Jacob but there are some issues with your regex statements.</P> <P>Yes I have my blacklists setup sequentially in the inputs.conf. I was also using examples from the Splunk_TA_windows inputs.conf.</P> <P>The first one says it should be both processes which it technically should be one of the two.</P> <P>Your second one puts an OR in between the account name and the process name which wouldn't work either.</P> <P>I just tried the below without capture groups:</P> <P>blacklist7 = EventCode="4674" Message="Account Name:.+slwprdadmin.+Process Name:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"</P> <P>Still doesn't work</P> <P>I have these other blacklists that work fine so this doesn't make any sense to me.</P> <P>blacklist5 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:SplunkUniversalForwarder\bin\btool.exe)|.+(?:Splunk\bin\splunk.exe)|.+(?:Splunk\bin\splunkd.exe)|.+(?:Splunk\bin\btool.exe)|.+(?:Agent\MonitoringHost.exe)"</P> Wed, 30 Sep 2020 01:41:44 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431098#M75452 adalbor 2020-09-30T01:41:44Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431099#M75453 <P>Opened a ticket with support as I am unsure why I can't get this to work. The first regex they suggested which also matched in a regex editor didn't work either. Still searching for a solution</P> Tue, 13 Aug 2019 14:33:34 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431099#M75453 adalbor 2019-08-13T14:33:34Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431100#M75454 <P>I ended up using this and it worked....for the most part lol. We still have some events matching this blacklist coming in but we saw a reduction from 76mil events to right over 2mil events.</P> <P>blacklist7 = EventCode="4674" Message=".*[\S\s]*Account\sName:\s:.+ACCOUNT.+Process\sName:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"</P> Wed, 30 Sep 2020 01:47:19 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-Blacklist-By-event-code-process-name-and/m-p/431100#M75454 adalbor 2020-09-30T01:47:19Z