Im looking to drop EventID 4673 where the action=failure
Here is an example log
3/15/2023 02:51:42 PM LogName=Security EventCode=4673 EventType=0 ComputerName=redacted SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=redacted Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID: redacted Account Name: redacted Account Domain: redacted Logon ID: redacted Service: Server: Security Service Name: Process: Process ID: xxxxx Process Name: C:\Windows\System32\backgroundTaskHost.exe Service Request Information: Privileges: SeTcbPrivilege
From reading
https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf?_ga=2.40401506.1999669205.1678852413-817152181.1624861549&_gl=1*s1kmhp*_ga*ODE3MTUyMTgxLjE2MjQ4NjE1NDk.*_ga_5EPM2P39FV*MTY3ODg2MDY5OS44Ni4xLjE2Nzg4NjA3NjAuNjAuMC4w#Event_Log_allow_list_and_deny_list_formats
I can see that action is not a valid field to filter on?
# Valid keys for the key=regex format: * The following keys are equivalent to the fields that appear in the text of the acquired events: * Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User
So i chose to use Keywords which has the value Audit Failure
Here is my inputs.conf
---------------------
[WinEventLog://Security]
disabled = 0
index=corp_oswinsec
current_only=1
evt_resolve_ad_obj=0
checkpointInterval = 5
blacklist1 = EventCode="4673" Keywords="Audit Failure"
--------------------------------
I am still seeing these events being indexed however - any tips on where i am going wrong would be much appreciated!
Ok thanks Rick - What worked for this was
EventCode="4673" Keywords=".*Failure"
Thanks for your help!
Further testing has shown i can filter with regex on the Message field - such as this to filter out any msedge events.
blacklist = EventCode="4673" Message=".*Edge"
The issue is that the Message field does not contain whether it is successful or not. That information is only within the Keywords field of the fields that the UF is supposed to be able to blacklist with.. Is this a bug or do I need to do this another way? I dont want to have to send all of this traffic back to a HF to filter it as we have some mobile devices that send logs directly to splunk cloud so as not to require the VPN.
I'm not sure I follow. If the Success/Failure value is stored in Keywords field, you can't match against it on Message field.
In such case you should match on
EventCode=4673 Keywords=Failure
No what i mean is that the regex does not seem to work for me on the Keywords field. Have you tried?
No. I "misadvised" you. I forgot that indeed the regex must be surrounded by something (and since you used a quote, I mistook it with the typical mistake in props.conf).
Yes, the regex must be surrounded by something so that the UF can properly find where the spearate regexes start and end.
So it turns out it should be done like this:
EventCode="4673" Keywords="Failure"
or
EventCode=%4673% Keywords=%Failure%
or
EventCode=*4673* Keywords=/Failure/
...
Ok thanks Rick - What worked for this was
EventCode="4673" Keywords=".*Failure"
Thanks for your help!
Thanks for the suggestions however none of them work - i have tried both of those as well as various other options combinations - with and without quotes on the eventcode and on the keywords statement
blacklist = EventCode=4673 Keywords=Audit\sFailure
blacklist = EventCode=4673.*Keywords=Audit Failure
what i have discovered is that I can blacklist the entire event easily enough by using
blacklist = EventCode="4673"
but when i try to blacklist the event without quotes it doesnt work.
However I would like to keep the successful events in splunk - has anyone else managed this and is willing to share their configuration?
Specifying regexes for white/blacklisting can be a PITA sometimes. Instead of
EventCode="4673" Keywords="Audit Failure"
Try
EventCode=4673 Keywords=Audit\sFailure
In your case quotes are interpreted as parts of regexes so if your values don't contain them, they're not getting filtered out.
Hi @nick_currie,
to blacklist events you can use more approaches in wineventlog:
blacklist = <comma-separated list> | key=regex [key=regex]
if you have more fields, I'd prefer to use a regex
blacklist = EventCode=4673.*Keywords=Audit Failure
Ciao.
Giuseppe