Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Blacklisting EventCode=5156 with Source_Port=8
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blacklisting EventCode=5156 with Source_Port=8
I am trying to blacklist Windows Security event ID 5156 with source port number 8, but does not seem working. Could anyone help me with this? Thank you in advance.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156" Source_Port=8
index = wineventlog
renderXml=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Source_port is not a valid key to use in blacklist
Taken from the manual:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=i...
Valid keys for the key=regex format:
- The following keys are equivalent to the fields that appear in the text of
the acquired events:
- Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm struggling with a similar issue too, for me it seems to just be flatout blacklisting every 5156 EventCode at this point despite my 2nd regex criteria. I've tried both ways below.
blacklist = EventCode="5156" Destination_Address="172\.(20|21)\.3\.(57|58|59|9)"
blacklist = EventCode="5156" Message="Destination\ Address\:\ 172\.(20|21)\.3\.(57|58|59|9)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think my issue is that my UF's are still prior 6.1 😐 :'(
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you try escaping the double quotes ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried by doing:
blacklist3 = EventCode=5156 Source_Port=8
blacklist3 = EventCode="5156 Source_Port=8"
blacklist3 = EventCode=""5156" Source_Port="8""
but none worked...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in Splunk you usually escape characters with \, so if you want to escape a double quote you would type \"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, I just realised that this website escaped my escaping character.
I wanted to say that in Splunk you usually escape characters with a backslash before the character EventCode=\"4662\"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
