Getting Data In

Blacklist Event IDs

aihwab1
Loves-to-Learn Lots

Hi all,

I'm new to the back-end configuration of Splunk and I've recently taken over a Splunk instance and I've been tasked with tidying it up a bit. The first thing I noticed is that there is a lot of noise coming in from event ID 5156. So I would like to blacklist this particular ID from coming in.

As my knowledge is somewhat limited to this, the environment has one Heavy Forwarder, and 3 indexers clustered together. When I try to read the configuration of the Universal Forwarder on the Domain Controller there is no outputs.conf in the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory, so I don't know with assurance where the events are being sent.

We have the Splunk Add-on for Microsoft Windows enabled on the HF, indexers and search head. However, I have only made changes to the inputs.conf located in /opt/splunk/etc/apps/splunk_ta_win/local on the HF. I've added the following line:
blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)" as blacklist1 and blacklist2 were already present and I couldn't return a search for these events (Meaning they're being filtered), I also restarted the Splunk service.

I've just run a search for the past few hours and I'm still seeing 5156 come through. Am I doing anything wrong, or do I need to perhaps make the config changes on the Indexers as well? Currently the config for security index looks like this:


[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5156" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true

The other thing that has me confused, is the 5156 events being returned are coming from "XmlWinEventLog:Security" and not "WinEventLog:Security", does Splunk automatically add Xml to the front of the index name is renderXml=true, or was that configured prior? I can't see any Xml event stanzas in this file.

If anyone can direct me on what i'm doing wrong, that would be great. All the Splunk instances I'm referring to are on CentOS, and they're all running 7.3.0. Upgrading to 8 is in the pipeline.

Am I looking in the completely wrong area? IE Outside of the app name? At this point intime I still cannot determine the configuration on the Universal Forwarders and we're there being sent as the outputs.conf doesn't exist.

0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Since renderXml is set to true, the sourcetype of your event would be considered as XmlWinEventLog:Security. So, you can define a similar stanza in the local directory of the app with the blacklist setting and you should be good with your objective. 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...