Security

how to whitelist specific users who failed to login in "WinEventLog://Security"

chanamoluk
Explorer

i need only two users( nacuser,paloaltouid) data who failed to login to the servers to be indexed in splunk cloud .. please let me know whether the below configuration is correct or not.

and please provide me the exact configuration to index failed logs for those specific users.

inputs.conf

[WinEventLog://Security]
disabled = 0
whitelist1 = 4624
whitelist2 = "user = nacuser,paloaltouid"

Tags (1)

niketn
Legend

The Key value pair for regular expression starts with upper case. In this case it should be User and not user.

whitelist2= User="nacuser"
whitelist3= User="paloaltouid"

OR

whitelist2= User="^nacuser$"
whitelist3= User="^paloaltouid$"

Further, if you have more than one values of the same key to be filtered, you should define separate Whitelists, since only the later will be used otherwise. Refer to the following is snippet from Splunk Documentation for the same:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Create_advanced_f...

Note: You cannot specify an entry that has more than one key/regular expression set that references the same key. If, for example, you specify:

whitelist = EventCode="^1([0-5])$" EventCode="^2([0-5])$"
Splunk Enterprise ignores the first set and only attempts to include events that match the second set. In this case, only events that contain an EventCode between 20 and 25 match. Events that contain an EventCode between 10 and 15 do not match. Only the last set in the entry ever matches. To resolve this problem, specify two separate entries in the stanza:

whitelist = EventCode="^1([0-5])$"
whitelist1 = EventCode="^2([0-5])$"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chanamoluk
Explorer

[WinEventLog://Security]
disabled = 0
index= activedirectory
whitelist = 4624,4625
whitelist1= User="^nacuser$"
whitelist2= User="^paloaltouid$"

i have used the same inputs.conf configaration , bit i haven't seen any filtered events indexing to splunk.
But when i exclude whitelist1,whitelist2 i can see all the events indexing to splunk.

Please let me know if i have to make any edits.

0 Karma

niketn
Legend

Was result the same for the following as well?

whitelist2= User="nacuser"
whitelist3= User="paloaltouid"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chanamoluk
Explorer

yes, stanzas where not indexing

0 Karma

niketn
Legend

can you try replacing double quotes with percent sign? Also try using just one Whitelist at a time.
If 4624,4625 are EventCodes, and you just keep whitelist=4624,4625 whether you see correct events or not. Similarly for just whitelist1 as whitelist and finally just for whitelist2 as whitelist.

whitelist1= User=%^nacuser$%
whitelist2= User=%^paloaltouid$%
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chanamoluk
Explorer

[WinEventLog://Security]
disabled = 0
index = activedirectory
whitelist = 4624,4625
whitelist = User=%^nacuser$%
whitelist = User=%^paloaltouid$%

i have used this stanza.. no events seen... User whitelist are not extracting any data

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...