https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492814#M84246 <P>Hi there,</P> <P>I want to create a blacklist in the universal forwarder or in my heavy forwarder with the following conditions:</P> <P>1)EventCode=4688<BR /> 2)splunk*.exe</P> <P>so I want the regex to be something like EventCode=4688 AND splunk*.<BR /> I tried many different combinations like this one:</P> <PRE><CODE>(?:.*\n){1,}EventCode=4688(?:.*\n){1,}.*splunk-.*\.exe(?:.*\n){1,}(?:.*\n) </CODE></PRE> <P>The above regex matches the event but it's not working in the transforms.conf or inputs.conf.</P> <P>This is how the event looks like:</P> <PRE><CODE>########## 10/03/2019 03:33:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=Win1-New TaskCategory=Process Creation OpCode=Info RecordNumber=2926293 Keywords=Audit Success Message=A new process has been created. </CODE></PRE> <P>Subject:<BR /> <STRONG>Security ID: S-1-1-12<BR /> Account Name: WIN$1<BR /> Account Domain: LOCALGROUP<BR /> Logon ID: 0x3e7</STRONG></P> <P>Process Information:<BR /> <STRONG>New Process ID: 0x143c<BR /> New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe<BR /> Token Elevation Type: TokenElevationTypeDefault (1)<BR /> Creator Process ID: 0x1504<BR /> Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"</STRONG></P> <P>Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.</P> <P>Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.</P> <P>Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.</P> <P>Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.</P> <P>Any ideas how should I proceed?</P> <P>Thanks.</P> Thu, 03 Oct 2019 22:41:01 GMT arsalanj 2019-10-03T22:41:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492814#M84246 <P>Hi there,</P> <P>I want to create a blacklist in the universal forwarder or in my heavy forwarder with the following conditions:</P> <P>1)EventCode=4688<BR /> 2)splunk*.exe</P> <P>so I want the regex to be something like EventCode=4688 AND splunk*.<BR /> I tried many different combinations like this one:</P> <PRE><CODE>(?:.*\n){1,}EventCode=4688(?:.*\n){1,}.*splunk-.*\.exe(?:.*\n){1,}(?:.*\n) </CODE></PRE> <P>The above regex matches the event but it's not working in the transforms.conf or inputs.conf.</P> <P>This is how the event looks like:</P> <PRE><CODE>########## 10/03/2019 03:33:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=Win1-New TaskCategory=Process Creation OpCode=Info RecordNumber=2926293 Keywords=Audit Success Message=A new process has been created. </CODE></PRE> <P>Subject:<BR /> <STRONG>Security ID: S-1-1-12<BR /> Account Name: WIN$1<BR /> Account Domain: LOCALGROUP<BR /> Logon ID: 0x3e7</STRONG></P> <P>Process Information:<BR /> <STRONG>New Process ID: 0x143c<BR /> New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe<BR /> Token Elevation Type: TokenElevationTypeDefault (1)<BR /> Creator Process ID: 0x1504<BR /> Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"</STRONG></P> <P>Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.</P> <P>Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.</P> <P>Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.</P> <P>Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.</P> <P>Any ideas how should I proceed?</P> <P>Thanks.</P> Thu, 03 Oct 2019 22:41:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492814#M84246 arsalanj 2019-10-03T22:41:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492815#M84247 <P>Blacklists for Windows events are not free-form regex. You can use a list of event codes, which won't work for you, or a number <CODE>key=regex</CODE> pairs. The latter probably is what you want. Pairs are automatically ANDed. Unfortunately, the <CODE>key</CODE> portion of the blacklist is limited to certain fields and Process_Command_Line is not one of them.</P> <P>See <STRONG><A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Inputsconf#Event_Log_whitelist_and_blacklist_formats" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Inputsconf#Event_Log_whitelist_and_blacklist_formats</A></STRONG></P> Wed, 30 Sep 2020 02:23:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492815#M84247 richgalloway 2020-09-30T02:23:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492816#M84248 <P>Appreciate your response @richgalloway</P> <P>I thought it deals with the raw data. <BR /> I see that it only works on Category, CategoryString, ComputerName, EventCode, EventType, Keywords,<BR /> LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,<BR /> TaskCategory, Type, User.</P> <P>The keyword that I wanted to AND with was "splunk-" and I used the Message field.<BR /> I could make it work, thanks so much.</P> <P>Could you please tell me what format should I use if I want to drop them in transforms.conf?<BR /> I tried a few regexes that again worked in regex editors but splunk ignored it.</P> Fri, 04 Oct 2019 02:12:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492816#M84248 arsalanj 2019-10-04T02:12:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492817#M84249 <P>I don't understand the new question. You have it working, right?</P> Fri, 04 Oct 2019 15:45:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492817#M84249 richgalloway 2019-10-04T15:45:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492818#M84250 <P>Yes, I do. I could make it work by creating a blacklist in inputs.conf</P> <P>The question was, how can I filter such events in transforms.conf. <BR /> How can I AND things in the (REGEX = ) field.<BR /> Because my regex matches the multiline logs but Splunk is not dropping them.</P> <P>props.conf<BR /> [source::WinEventLog:Security]<BR /> TRANSFORMS-null = drop1 </P> <P>transforms.conf<BR /> [drop1]<BR /> REGEX = (EventCode=4688)(?:.*\n){1,}(New Process Name:\s+.*splunk-.*exe)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Wed, 30 Sep 2020 02:29:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492818#M84250 arsalanj 2020-09-30T02:29:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492819#M84251 <P>I don't know that.</P> Mon, 07 Oct 2019 11:32:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-inputs-conf-blacklist-with-BOOLEAN/m-p/492819#M84251 richgalloway 2019-10-07T11:32:34Z