Re: Problem with Blacklisting and wildcards

asofo · ‎08-26-2019

Trying to reduce some of the noise caused by NTLM failures by adding the following to our Windows Event Log stanza for our DC's:

blacklist1 = EventCode="8004" Workstation_name=”SERVERNAME*”

Due to a large server deployment, I'm using a wildcard at the end to filter out 8004 events from a group of servers with a common prefix. I can't get this working, is the wildcard throwing it off?

memarshall63 · ‎08-26-2019

Can you provide your whole stanza and which file it's in?

I know that whitelists and blacklists in inputs.conf stanzas only use regular expressions, not search terms, but I may be I'm in the wrong neighborhood.

asofo · ‎08-27-2019

This is in our inputs.conf file in our deployment app.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="8004" Workstation_name=”SERVERNAME*”
blacklist4 = EventCode="8004" Workstation_name=”OTHERSERVERNAME*”
index = wineventlog
renderXml=false

memarshall63 · ‎08-28-2019

Hi..

I've not had the opportunity to try to filter a Windows Event Log like that, but I can see the regex in blacklist1 and blacklist2 (the \s+). So, I believe that this file only use regex in blacklists. So, that means the wildcard is being misinterpreted at best.

Is blacklist1 or blacklist2 working? Those are at least closer to what I think should be here -- but even those I think might have issues.

I think you may want to have a look at this:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Specifically, under the section: Keep specific events and discard the rest

memarshall63 · ‎08-28-2019

Wait... here's the real page you want to look at:

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata

Scroll down to Create advanced filters with 'whitelist' and 'blacklist'

Following these syntax, you probably need something like:
blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"

(note: haven't tested it -- just a guess).

asofo · ‎08-28-2019

Thanks! I'm looking into and testing this now. I'll let you know how I make out.

mayurr98 · ‎08-26-2019

how is the event look like? could you provide a sample event?

asofo · ‎08-26-2019

Sure:

08/26/2019 12:34:20 PM
LogName=Microsoft-Windows-NTLM/Operational
SourceName=Microsoft-Windows-Security-Netlogon
EventCode=8004
EventType=4
Type=Information
ComputerName=#######
User=NOT_TRANSLATED
Sid=#####
SidType=0
TaskCategory=Auditing NTLM
OpCode=Info
RecordNumber=#####
Keywords=None
Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: ########
User name: ##########
Domain name: NULL
Workstation name: #########
Secure Channel type: 2

Audit NTLM authentication requests within the domain NULL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain NULL to which clients are allowed to use NTLM authentication.

Problem with Blacklisting and wildcards

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life