https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201233#M58311 <P>Hi All,</P> <P>We have an remote DC, to save bandwidth and Splunk license we like to filter out computer account logon messages.<BR /> Using Splunk UFW 6.2.4<BR /> EventCode=4624<BR /> Example eventlog message:</P> <P>An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: DC01$ Account Domain: AAA-BBB Logon ID: 0x2d71a99b Logon GUID: .......</P> <P>Account Name is listed twice, if the second Account Name directive is an computer account (ending with a $) the event should be blacklisted and not forwarded to the indexer.</P> <P>I added the following to the inputs.conf in de deployment-apps/Splunk_TA_windows/local:</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="Account\sName:\s.*Account\sName:\s(\S+\$)" </CODE></PRE> <P><STRONG>Why is this not working?</STRONG> Tested the regex on <A href="https://regex101.com/" target="_blank">https://regex101.com/</A> and it looks fine?<BR /> Blacklisting just EventCode="4624" is working fine but that’s not what we want.</P> <P>Also tried the following, all not working while regex101 shows the regex is ok.</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="(?:.*?Account Name:){2}\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account Name:\s(\S+).+Account Name:\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account\sName:.*Account\sName:\s[\S+]+[\$]" </CODE></PRE> <P>Thanks in advance,</P> Tue, 29 Sep 2020 07:08:55 GMT Derksr 2020-09-29T07:08:55Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201233#M58311 <P>Hi All,</P> <P>We have an remote DC, to save bandwidth and Splunk license we like to filter out computer account logon messages.<BR /> Using Splunk UFW 6.2.4<BR /> EventCode=4624<BR /> Example eventlog message:</P> <P>An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: DC01$ Account Domain: AAA-BBB Logon ID: 0x2d71a99b Logon GUID: .......</P> <P>Account Name is listed twice, if the second Account Name directive is an computer account (ending with a $) the event should be blacklisted and not forwarded to the indexer.</P> <P>I added the following to the inputs.conf in de deployment-apps/Splunk_TA_windows/local:</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="Account\sName:\s.*Account\sName:\s(\S+\$)" </CODE></PRE> <P><STRONG>Why is this not working?</STRONG> Tested the regex on <A href="https://regex101.com/" target="_blank">https://regex101.com/</A> and it looks fine?<BR /> Blacklisting just EventCode="4624" is working fine but that’s not what we want.</P> <P>Also tried the following, all not working while regex101 shows the regex is ok.</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="(?:.*?Account Name:){2}\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account Name:\s(\S+).+Account Name:\s(\S+)\$" blacklist3 = EventCode="4624" Message="Account\sName:.*Account\sName:\s[\S+]+[\$]" </CODE></PRE> <P>Thanks in advance,</P> Tue, 29 Sep 2020 07:08:55 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201233#M58311 Derksr 2020-09-29T07:08:55Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201234#M58312 <P>One problem I see is that you are specifying a single space between "Account Name:" and whatever comes after, but in all my windows event logs I have multiple spaces between "Account Name" and the account name.</P> <P>So <BR /> <CODE>Account\sName:.*Account\sName:\s[\S+]+[\$]</CODE> might need to be <BR /> <CODE>Account\sName:.*Account\sName:\s+[\S+]+[\$]</CODE>. Can you give that a try on some of your examples and see if it helps? </P> <P>If it doesn't, try limiting your blacklist to either/any of the "Account Name:" ending in $ being blocked, get that working and it should be a simple matter to extend it to the second one.</P> <P>And, otherwise, post back with whatever new revelations you've had from those! </P> Sun, 30 Aug 2015 13:23:17 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201234#M58312 Richfez 2015-08-30T13:23:17Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201235#M58313 <P>Thanks for your fast response.</P> <P>You pointed me in the right direction.<BR /> I tested my regex against the consolidated message field, not the original Windows Eventlog Message.<BR /> The original Eventlog Message contains tabs and newline chars.</P> <PRE><CODE>An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: DC01$ Account Domain: AAA-BBB .... </CODE></PRE> <P>Solved it with the following regex blacklist entry:</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]" </CODE></PRE> Sun, 30 Aug 2015 21:08:47 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201235#M58313 Derksr 2015-08-30T21:08:47Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201236#M58314 <P>Derksr, </P> <P>I tried your regex blacklist entry but it did it not work... did it work for you? Here is how mine look:</P> <PRE><CODE>blacklist3 = Eventcode="^4624" Message="^Logon\sType:\s+[3]" Message=".*Account\sName:.*[\S\s]*Account\sName:\s+[a-zA-Z0-9-]+[\$]" </CODE></PRE> Fri, 06 Nov 2015 19:36:14 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201236#M58314 kmedina1 2015-11-06T19:36:14Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201237#M58315 <P>Yes mine worked great.</P> <P>I've checked your regex with <A href="https://www.regex101.com/#python">https://www.regex101.com/#python</A> (did you?)<BR /> The following works for me:</P> <PRE><CODE>Message="Account\sName:.*[\S\s]*Logon\sType:\s+[3][\S\s]*Account\sName:\s+[\S+]+[\$]" </CODE></PRE> <P>So 1 message directive.</P> <P>Looks like the following is what you want: (watch out for capitals EventCode != Eventcode )</P> <PRE><CODE>blacklist3 = EventCode="4624" Message="Account\sName:.*[\S\s]*Logon\sType:\s+[3][\S\s]*Account\sName:\s+[\S+]+[\$]" </CODE></PRE> Fri, 06 Nov 2015 20:12:03 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201237#M58315 Derksr 2015-11-06T20:12:03Z https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201238#M58316 <P>Derksr,</P> <P>You were right on point... I typed eventcode rather than EventCode. It seems to be working!</P> <P>Thanks!</P> Fri, 06 Nov 2015 22:21:43 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-blacklist-Windows-events-with-regex-on-universal/m-p/201238#M58316 kmedina1 2015-11-06T22:21:43Z