<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Question on Regex for Windows Event Blacklist in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Question-on-Regex-for-Windows-Event-Blacklist/m-p/524683#M88564</link>
    <description>&lt;P&gt;Hi All,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our environment we are wanting to cut down on some windows event logs. There are quite a few logs that have specific message patterns and script names that we are wanting to discard. After researching and scouring the internet for ways to perform regex on a blacklist, I'm having trouble finding an example similar to mine.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our Windows Event Logs, we are seeing events still come through, even though we are attempting to blacklist them. Here is an example where the ScriptName is C:\WINDOWS\system32\WindowsPowerShell\v1.\powershell.EXE and is not being dropped, I have a feeling this is due to the regex in place and the .* not wanting to pick up whatever is after the initial C:\WINDOWS\&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If anyone could shed any light on this, that would be much appreciated!!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;Message=Pipeline execution details for command line: $Col = new-object Data.DataColumn . Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=21 UserId=domain\AccountName$ HostName=ConsoleHost HostVersion=46545HostId=xxx-xxx-xx-xxxxHostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.EXE -command C:\WINDOWS\Script\debug-process.ps1 \EngineVersion=RunspaceId=-5e81---PipelineId=1 ScriptName=&lt;STRONG&gt;C:\WINDOWS\Script\debug-process.ps1&lt;/STRONG&gt; CommandLine= $Col = new-object Data.DataColumn Details: CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="Data.DataColumn" 1&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;blacklist8 = EventCode="800" Message="domain\\AccountName" ScriptName=".+(?:C:\\WINDOWS\\Script\\.*)"&lt;/STRONG&gt;&lt;/P&gt;</description>
    <pubDate>Wed, 14 Oct 2020 16:35:39 GMT</pubDate>
    <dc:creator>dfurtaw</dc:creator>
    <dc:date>2020-10-14T16:35:39Z</dc:date>
    <item>
      <title>Question on Regex for Windows Event Blacklist</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Question-on-Regex-for-Windows-Event-Blacklist/m-p/524683#M88564</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our environment we are wanting to cut down on some windows event logs. There are quite a few logs that have specific message patterns and script names that we are wanting to discard. After researching and scouring the internet for ways to perform regex on a blacklist, I'm having trouble finding an example similar to mine.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our Windows Event Logs, we are seeing events still come through, even though we are attempting to blacklist them. Here is an example where the ScriptName is C:\WINDOWS\system32\WindowsPowerShell\v1.\powershell.EXE and is not being dropped, I have a feeling this is due to the regex in place and the .* not wanting to pick up whatever is after the initial C:\WINDOWS\&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If anyone could shed any light on this, that would be much appreciated!!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;Message=Pipeline execution details for command line: $Col = new-object Data.DataColumn . Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=21 UserId=domain\AccountName$ HostName=ConsoleHost HostVersion=46545HostId=xxx-xxx-xx-xxxxHostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.EXE -command C:\WINDOWS\Script\debug-process.ps1 \EngineVersion=RunspaceId=-5e81---PipelineId=1 ScriptName=&lt;STRONG&gt;C:\WINDOWS\Script\debug-process.ps1&lt;/STRONG&gt; CommandLine= $Col = new-object Data.DataColumn Details: CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="Data.DataColumn" 1&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;blacklist8 = EventCode="800" Message="domain\\AccountName" ScriptName=".+(?:C:\\WINDOWS\\Script\\.*)"&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 14 Oct 2020 16:35:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Question-on-Regex-for-Windows-Event-Blacklist/m-p/524683#M88564</guid>
      <dc:creator>dfurtaw</dc:creator>
      <dc:date>2020-10-14T16:35:39Z</dc:date>
    </item>
    <item>
      <title>Re: Question on Regex for Windows Event Blacklist</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Question-on-Regex-for-Windows-Event-Blacklist/m-p/524864#M88615</link>
      <description>&lt;LI-CODE lang="markup"&gt;ScriptName=".+(?:C:\\WINDOWS\\Script\\.*)"&lt;/LI-CODE&gt;&lt;P&gt;This regex calls for at least one character to precede the "C:", but that can't happen (it certainly doesn't match the example).&lt;/P&gt;</description>
      <pubDate>Thu, 15 Oct 2020 13:47:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Question-on-Regex-for-Windows-Event-Blacklist/m-p/524864#M88615</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-10-15T13:47:16Z</dc:date>
    </item>
  </channel>
</rss>

