Getting Data In

Blacklisting EventCode=5156 with Source_Port=8

nathanpyun
Explorer

I am trying to blacklist Windows Security event ID 5156 with source port number 8, but does not seem working. Could anyone help me with this? Thank you in advance.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Source_Port=8
index = wineventlog
renderXml=false

lakromani
Builder

Source_port is not a valid key to use in blacklist

Taken from the manual:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...

Valid keys for the key=regex format:

  • The following keys are equivalent to the fields that appear in the text of the acquired events:
    • Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User

shawngarrettsgp
Path Finder

I'm struggling with a similar issue too, for me it seems to just be flatout blacklisting every 5156 EventCode at this point despite my 2nd regex criteria. I've tried both ways below.

blacklist = EventCode="5156" Destination_Address="172\.(20|21)\.3\.(57|58|59|9)"

blacklist = EventCode="5156" Message="Destination\ Address\:\ 172\.(20|21)\.3\.(57|58|59|9)"

0 Karma

shawngarrettsgp
Path Finder

I think my issue is that my UF's are still prior 6.1 😐 :'(
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

0 Karma

asimagu
Builder

did you try escaping the double quotes ?

0 Karma

nathanpyun
Explorer

I tried by doing:

blacklist3 = EventCode=5156 Source_Port=8

blacklist3 = EventCode="5156 Source_Port=8"

blacklist3 = EventCode=""5156" Source_Port="8""

but none worked...

0 Karma

asimagu
Builder

in Splunk you usually escape characters with \, so if you want to escape a double quote you would type \"

0 Karma

asimagu
Builder

sorry, I just realised that this website escaped my escaping character.
I wanted to say that in Splunk you usually escape characters with a backslash before the character EventCode=\"4662\"

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...