Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Blacklisting windows event logs based on EventCode and Application name

dkolekar
Engager
‎06-23-2020 01:00 PM

I am trying to filter the windows event based on the Application Name and EventCode.

Application_name I am trying to blacklist are splunkd.exe & zabbix_agentd.exe 

EventCode: 5156 & 5158

Sample Event: 

06/18/2020 10:00:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=GURUABC.ad.xyz.com
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=1759943456
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 8873
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe

Network Information:
Direction: Outbound
Source Address: 112.31.122.191
Source Port: 49346
Destination Address: 11.213.158.112
Destination Port: 8089
Protocol: 6

Filter Information:
Filter Run-Time ID: 66887
Layer Name: Connect
Layer Run-Time ID: 87

Inputs.conf on UF:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

I have tried the following different different blacklisting options under inputs.conf UF.

# Option 1:
blacklist1=EventCode="5156" Message=”Application Name:\s(?\device\harddiskvolume2\program files\zabbix agent\zabbix_agentd.exe)”
blacklist2=EventCode="5156" Message=”Application Name:\s(?\device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe)”


blacklist3=EventCode="5158" Message=”Application Name:\s(?\device\harddiskvolume2\program files\zabbix agent\zabbix_agentd.exe)”
blacklist4=EventCode="5158" Message=”Application Name:\s(?\device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe)”

# Option 2:
blacklist1=EventCode="5156" ”Application\sName:\s(?\device\harddiskvolume3\program files\splunkuniversalforwarder\bin\splunkd.exe)"
blacklist2=EventCode="5158" ”Application\sName:\s(?\device\harddiskvolume3\program files\splunkuniversalforwarder\bin\splunkd.exe)"

# Option 3:
blacklist1=EventCode=%^5158$% Message=%*zabbix_agentd.exe%
blacklist2=EventCode=%^5158$% Message=%*splunkd.exe%

# Option 4:
blacklist1=EventCode=%^5156$% Application Name=%(*\bin\splunkd.exe|*\zabbix_agentd.exe)%
blacklist2=EventCode=%^5158$% Application Name=%(*\bin\splunkd.exe|*\zabbix_agentd.exe)%

# Option 5:
blacklist1 = EventCode="5156" Application Name:"(*splunkd.exe|*zabbix_agentd.exe)"
blacklist2 = EventCode="5158" Application Name:"(*splunkd.exe|*zabbix_agentd.exe)"

# Option 6:
[WinEventLog://Security]
blacklist1=EventCode="5156" Message="Workstation Name:\s+*zabbix_agentd.exe*"
blacklist2=EventCode="5158" Message="Application Name:\s+*zabbix_agentd.exe*"

# Option 7: I have tried following under props & transforms on HF for routing the data to null queue.

On HF :
In props.conf,
[WinEventLog]
TRANSFORMS-null= setnull

In transforms.conf
[setnull]
REGEX = (?s)EventCode=(5156|5158).*Application Name:\s.device.*\\splunkd.exe
DEST_KEY = queue
FORMAT = nullQueue


Unfortunately non of the above is working. Please suggest.

Thanks in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

spayneort
Contributor
‎06-24-2020 02:17 PM

Try this on the UF. 

 

blacklist1 = EventCode="^515[68]$" Message="Application\sName:\s(?:\\device\\harddiskvolume2\\program\sfiles\\zabbix\sagent\\zabbix_agentd\.exe|\\device\\harddiskvolume2\\program\sfiles\\splunkuniversalforwarder\\bin\\splunkd\.exe)$"

 

 If you do not want to use the full paths you could use:

blacklist1 = EventCode="^515[68]$" Message="Application\sName:\s.*(?:zabbix_agentd|splunkd)\.exe$"

 

0 Karma
Reply

dkolekar
Engager
‎06-24-2020 02:53 PM

Hi @spayneort , 

Thank you so much for your reply. Unfortunately, both the blacklist stanza did not work. I applied this under monitoring stanza of UF. 

[WinEventLog://Security]
disabled = 0
ignoreOlderThan = 7d
evt_resolve_ad_obj = 1
checkpointInterval = 5
current_only=1
renderXml=false
index = win_event_logs
blacklist1= EventCode="^515[68]$" Message="Application\sName:\s.*(?:zabbix_agentd|splunkd)\.exe$"

 

Any suggestions. 

Tags (1)
0 Karma
Reply

Powers
Engager
‎07-02-2021 11:26 AM

@spayneort 

Got this to work with similar syntax

blacklist1 = EventCode="^468[89]$" Message="Process Name:(.*?(SplunkUniversalForwarder|or_any_other_program))"

 

Note the following:

1. The | is an OR

2. This finds anything the starts with your program

3. be careful of spaces, sometimes they don't really exist

4. Don't use $ as you'll need a wild card to find what you're looking for, plus more processing power required.

 

Hope that helps!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...