https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461847#M99512 <P>Wait... here's the real page you want to look at:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata">https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata</A></P> <P>Scroll down to <STRONG>Create advanced filters with 'whitelist' and 'blacklist'</STRONG></P> <P>Following these syntax, you probably need something like:<BR /> blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"</P> <P>(note: haven't tested it -- just a guess).</P> Wed, 28 Aug 2019 15:25:55 GMT memarshall63 2019-08-28T15:25:55Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461841#M99506 <P>Trying to reduce some of the noise caused by NTLM failures by adding the following to our Windows Event Log stanza for our DC's:</P> <P>blacklist1 = EventCode="8004" Workstation_name=”SERVERNAME*”</P> <P>Due to a large server deployment, I'm using a wildcard at the end to filter out 8004 events from a group of servers with a common prefix. I can't get this working, is the wildcard throwing it off?</P> Mon, 26 Aug 2019 16:14:41 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461841#M99506 asofo 2019-08-26T16:14:41Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461842#M99507 <P>how is the event look like? could you provide a sample event?</P> Mon, 26 Aug 2019 17:47:51 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461842#M99507 mayurr98 2019-08-26T17:47:51Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461843#M99508 <P>Sure:</P> <P>08/26/2019 12:34:20 PM<BR /> LogName=Microsoft-Windows-NTLM/Operational<BR /> SourceName=Microsoft-Windows-Security-Netlogon<BR /> EventCode=8004<BR /> EventType=4<BR /> Type=Information<BR /> ComputerName=#######<BR /> User=NOT_TRANSLATED<BR /> Sid=#####<BR /> SidType=0<BR /> TaskCategory=Auditing NTLM<BR /> OpCode=Info<BR /> RecordNumber=#####<BR /> Keywords=None<BR /> Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.<BR /> Secure Channel name: ########<BR /> User name: ##########<BR /> Domain name: NULL<BR /> Workstation name: #########<BR /> Secure Channel type: 2</P> <P>Audit NTLM authentication requests within the domain NULL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.</P> <P>If you want to allow NTLM authentication requests in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.</P> <P>If you want to allow NTLM authentication requests to specific servers in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain NULL to which clients are allowed to use NTLM authentication.</P> Mon, 26 Aug 2019 17:54:51 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461843#M99508 asofo 2019-08-26T17:54:51Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461844#M99509 <P>Can you provide your whole stanza and which file it's in?</P> <P>I know that whitelists and blacklists in inputs.conf stanzas only use regular expressions, not search terms, but I may be I'm in the wrong neighborhood.</P> Mon, 26 Aug 2019 23:20:14 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461844#M99509 memarshall63 2019-08-26T23:20:14Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461845#M99510 <P>This is in our inputs.conf file in our deployment app.</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist3 = EventCode="8004" Workstation_name=”SERVERNAME*”<BR /> blacklist4 = EventCode="8004" Workstation_name=”OTHERSERVERNAME*”<BR /> index = wineventlog<BR /> renderXml=false</P> Wed, 30 Sep 2020 01:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461845#M99510 asofo 2020-09-30T01:54:21Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461846#M99511 <P>Hi..</P> <P>I've not had the opportunity to try to filter a Windows Event Log like that, but I can see the regex in blacklist1 and blacklist2 (the \s+). So, I <EM>believe</EM> that this file only use regex in blacklists. So, that means the wildcard is being misinterpreted at best. </P> <P>Is blacklist1 or blacklist2 working? Those are at least closer to what I think should be here -- but even those I think might have issues.</P> <P>I think you may want to have a look at this:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A></P> <P>Specifically, under the section: <STRONG>Keep specific events and discard the rest</STRONG></P> Wed, 28 Aug 2019 13:08:10 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461846#M99511 memarshall63 2019-08-28T13:08:10Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461847#M99512 <P>Wait... here's the real page you want to look at:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata">https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata</A></P> <P>Scroll down to <STRONG>Create advanced filters with 'whitelist' and 'blacklist'</STRONG></P> <P>Following these syntax, you probably need something like:<BR /> blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"</P> <P>(note: haven't tested it -- just a guess).</P> Wed, 28 Aug 2019 15:25:55 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461847#M99512 memarshall63 2019-08-28T15:25:55Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461848#M99513 <P>Thanks! I'm looking into and testing this now. I'll let you know how I make out.</P> Wed, 28 Aug 2019 15:38:08 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-Blacklisting-and-wildcards/m-p/461848#M99513 asofo 2019-08-28T15:38:08Z