All Apps and Add-ons

inputs.conf blacklist example

michaeler
Communicator

Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else searches and finds this useful. 

blacklist1 = EventCode="4688" Message="New Process Name:\s+(?:[C-F]:\\(?:Program Files\\SplunkUniversalForwarder|Splunk)\\bin\\(?:splunk|splunkd|splunk-optimize|splunk-powershell|splunk-admon|splunk-netmon|splunk-MonitorNoHandle|python3|btool)\.exe)

blacklist2 = EventCode="(4663|4660|4907)" Message="Process Name:\s+(?:[C-F]:\\(?:Program Files\\Microsoft Configuration Manager\\bin\\X64|Program Files \W\w{3}\W\\Symantec\\Symantec Endpoint Protection\\\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\\Bin64|Program Files\\SMS_CCM|Windows\\System32|Windows\\System32\\(?:inetsrv|wbem)|.WINDOWS.~BT\\Sources|Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_\w{16,20}\.+\d\.+\d{1,6}\.+\w{22,30})\\(?:smsexec|sitecomp|TiWorker|SetupHost|WmiPrvSE|w3wp|poqexec|CcmExec|ccSvcHst)\.exe)

I'm a novice with regex so there might be some ways to clean this up and make it shorter, but it works. If anyone has simplification recommendations, feel free to share.

Labels (2)
Tags (1)
0 Karma

michaeler
Communicator

I forgot to add the final " at the end of each. regex101.com doesn't like them so I removed for the purpose of troubleshooting.

0 Karma
Get Updates on the Splunk Community!

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...