Deployment Architecture

getting bombarded with windows security error code 5156 and 5157 (Win security)

ranjitbrhm1
Communicator

Hello All,
I have a distributed system where i have a heavy forwarder collecting traffic from the UF's and forwarding events to the indexer. I have a DMC which is on another server. Currently im getting bombarded with 5156 and 5157 error messages from windows security. Ive read somwhere that i can blacklist the values on inputs.conf. Can someone please let me know on which inputs.conf file on which server i have to do the blacklist on? Alternatively is there any other method to control this constant flow of data?

0 Karma

niketn
Legend

@ranjitbrhm1, add the following blacklist to your inputs.conf stanza to filter out events from UF:

blacklist = 5156,5157

Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_the_Security_...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ranjitbrhm1
Communicator

Thanks for the answer @niketnilay as always. I really appreciate it. But my main problem is on which %SPLUNK_HOME%\etc\system\local\inputs.conf do i make the changes to ? the app that i use to deploy the inputs.conf to the UF's. The heavy forwarders inputs or the indexers input. Thats the question that is boggling me. I tried sending out this change via the DMC on to the UF's but it does not have any effect it seems.

My inputs.conf file is as below

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 1
start_from = oldest
index = winevents
blacklist = 5156|5157|5158

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

[perfmon://Windows__Processor]
counters = *
instances = _Total
interval = 10
object = Processor
index = winevents

[perfmon://Windows__Memory]
counters = Available Bytes
interval = 10
0 Karma

niketn
Legend

@ranjitbrhm1, the heavy forwarder should definitely be able to filter, but UF should be able to filter events upfront. If possible test with a standalone machine and Test Splunk server.

You can look into sending unwanted data to nullQueue before indexing, however, I strongly feel this should work. Let me convert my answer to comment for community Splunk experts to weigh in their opinion.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ranjitbrhm1
Communicator

As always your help and suggestions are most appreciated. I will spin up a splunk server and a couple of clients and test this out. I myself have a couple of concepts that i need testing as well.
Thanks
/R

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...