I am trying to blacklist Windows service account named, ftpadmin from all servers. I tried:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
that did not work. so I tried by putting ftpadmin in quotation:
but that did not work either. Could someone help please?
Thank you.
Hi Nathanpyun, There is a list of valid key names in the "Create advanced filters with 'whitelist' and 'blacklist'" section in this page : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorWindowsdata
It doesn't look like Account_Name is a valid key, and so I suspect that might be your issue. The "User" key might be what you are looking for. Please let me know if that helps!
Hi Nathanpyun, There is a list of valid key names in the "Create advanced filters with 'whitelist' and 'blacklist'" section in this page : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorWindowsdata
It doesn't look like Account_Name is a valid key, and so I suspect that might be your issue. The "User" key might be what you are looking for. Please let me know if that helps!