topic Re: Filter windows events in Splunk in Splunk Search

Filter windows events in Splunk

vad34 — Wed, 30 Dec 2015 14:20:15 GMT

Hello
Can someone write here the steps and what files do i have to edit in order filter windows events ?
Tnx

Re: Filter windows events in Splunk

jmallorquin — Wed, 30 Dec 2015 14:26:17 GMT

Hi,

Here you have a good example
https://answers.splunk.com/answers/335000/how-could-i-filter-network-firewall-data-using-a-f.html#answer-335003

Hope help you

Re: Filter windows events in Splunk

vad34 — Tue, 29 Sep 2020 08:14:07 GMT

Tnx for quick reply,appreciate it!
i configured the following config in inputs.conf :

host = mysplunk
[splunktcp://9997]
[WinEventLog:System]
disabled = 0

only index events with these event IDs.

whitelist = 7036-7037

exclude these event IDs from being indexed.

blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
whitelist = 0-1
blacklist = 4725-4800
I configured it in /opt/splunk/etc/system/local/inputs.conf , restarted splunk and still get unrelevant events
i copied to the /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf and to /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/inputs.conf , restarted splunk and still the same
Do i have to edit props.conf and transforms.conf ?
Tnx in advance

Re: Filter windows events in Splunk

sover — Wed, 30 Dec 2015 17:33:50 GMT

Hey vad34,

You can use something like this in your inputs.conf:

[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”

The reference I'm grabbing from is this blog post:
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

This is a little more elegant, but it's specific to WinEventLog data. jmallorquin's solution is universal to any data source.

Re: Filter windows events in Splunk

vad34 — Wed, 30 Dec 2015 18:36:54 GMT

i followed the blog, i don't have group policy so i configured this:

[WinEventLog:Security]
disabled = 0
current_only=1
blacklist1=EventCode="4726"
but still getting the events in splunk
any ideas?

Re: Filter windows events in Splunk

sover — Wed, 30 Dec 2015 18:41:35 GMT

Silly question – have you restarted the forwarder?

Re: Filter windows events in Splunk

vad34 — Wed, 30 Dec 2015 19:38:48 GMT

Yes , I restarted the whole splunk server

Re: Filter windows events in Splunk

jkat54 — Wed, 30 Dec 2015 19:57:38 GMT

The above looks good. try running this command

   ./splunk cmd btool inputs list --debug

and checking the output to see if the inputs arent being overruled by another blacklist setting in conf files in other splunk apps.

Re: Filter windows events in Splunk

jmallorquin — Thu, 31 Dec 2015 08:46:22 GMT

Other silly question... what versión of universal forwarder are you running?

If you still have problems use my method 🙂

Re: Filter windows events in Splunk

vad34 — Thu, 31 Dec 2015 08:49:35 GMT

Hi , the version is 6.3.2

Re: Filter windows events in Splunk

jmallorquin — Thu, 31 Dec 2015 08:53:08 GMT

And your stanza is

[WinEventLog:Security] OR [WinEventLog://Security]

Becouse the first one is incorrect

Re: Filter windows events in Splunk

vad34 — Tue, 29 Sep 2020 08:14:34 GMT

Hi
Here is the output fragment of the debug command,
host = splunk-102
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf index = w indows
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 600
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSocket s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThread s = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 80 88
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf type = po rt
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploy mentServer = 0
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [WinPrint Mon://printer]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf baseline = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicated IoThreads = 2
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf enableSSL = 1
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dc_na me =
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf evt_dns_n ame =
host = splunk-102
How can i define if the input arent being overruled?

Tnx

Re: Filter windows events in Splunk

vad34 — Thu, 31 Dec 2015 09:01:05 GMT

my stanza is [WinEventLog:Security] , i will correct it now and check, update soon.

Re: Filter windows events in Splunk

vad34 — Tue, 29 Sep 2020 08:14:36 GMT

btw , only need to edit in /opt/splunk/etc/system/local/inputs.conf or also in win app - /opt/splunk/etc/apps/splunk_app_windows_infrastructure and in /opt/splunk/etc/apps/Splunk_TA_windows ?

Re: Filter windows events in Splunk

jmallorquin — Thu, 31 Dec 2015 09:05:10 GMT

system local configuration persist over ALL

Re: Filter windows events in Splunk

vad34 — Thu, 31 Dec 2015 09:08:52 GMT

Ok will correct it now and update you..