topic Re: Windows Blacklist Pattern Match Issue in Getting Data In

Windows Blacklist Pattern Match Issue

bwheelock — Wed, 21 Aug 2019 03:57:33 GMT

I can't think of a better way to phrase my question without it being a sentence. The issue I'm having is my blacklist is checking for an Event Code (4624) and then a Message that contains Exchange Health Mailbox accounts, but ends up removing ALL 4624 events. I only want to discard the events that have the health mailboxes, but as soon as I make the conf change and the change applies... 4624's stop coming in.

EDIT: OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

Here's an example:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Edit: here's what I did to fix the above.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"

Re: Windows Blacklist Pattern Match Issue

nareshinsvu — Wed, 21 Aug 2019 04:10:00 GMT

Hope you have tried props and transforms.conf instead of blacklisting in inputs.conf?

Re: Windows Blacklist Pattern Match Issue

bwheelock — Wed, 21 Aug 2019 17:05:21 GMT

Thanks for the input! For the moment I have avoided switching to that direction, but if it helps troubleshoot why the inputs functionality is not working as expected I can work on that. I presume the main value would be to confirm the regex is working? (Though I've validated the regex against event codes within Splunk already, using the rex command)

Re: Windows Blacklist Pattern Match Issue

bwheelock — Wed, 21 Aug 2019 21:09:51 GMT

I think the issue I'm having might still qualify as a bug, maybe, but at least I now know I was mostly shooting myself in the foot!

OK, I found the issue. Full disclosure: some major egg on my face here. In my inputs.conf I have three active blacklists, and each is different in event code and scope. It turns out I coincidentally had a three distinct cases of bad Splunk-specific regex formatting that caused the "Message=" section to break. For my example below, I wanted a case insensitive match and wrapped the regex in (?i) rather than placing (?i) by itself before the section I wanted to match with case insensitivity. Bottom line is my bad regex in the Message key caused that portion of the line to be discarded, leaving only the EventCode key for evaluation. This is odd behavior to me, as I would expect the entire line to be discarded and not simply the bad key, as the end result was I ended up blacklisting all of that event code rather than failing to blacklist anything.

Here's an example that breaks the Message key causing the blacklist to exclude ALL EventCode key matches:

blacklist1 = EventCode="4624" Message="Account Name:\s+(?i(HealthMailbox\S+)|(\S+\$))"

Here's what I did to fix the above bad regex.

blacklist1 = EventCode="4624" Message="Account Name:\s+(?:(?i)(HealthMailbox\S+)|(\S+\$))"