Can I blacklist a SourceName on a Windows Security...

Magnus_001 · ‎09-24-2015

Hello,

I am using Splunk Enterprise 6.2.3 Universal Forwarder to monitor events from the Security log on a Windows server. I need to be able to blacklist all events with SourceName = "Microsoft Windows security auditing." and SourceName="Microsoft-Windows-Eventlog". Can this be done? I can blacklist EventCode with a UF but the SourceName doesn't seem to work. Thanks!

This works...

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4747"
blacklist2 = EventCode="4858"

This does not...

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing."

Richfez · ‎09-24-2015

I wonder, does it see the "." in your blacklist2 item and believes that's a regex?

It may be worth trying one of the following:

blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing\."

or

blacklist1 = SourceName="Microsoft-Windows-Eventlog"
blacklist2 = SourceName="Microsoft Windows security auditing"

I really don't know precisely HOW it determines if your lines fits the non-regex or the regex filtering way. (As per docs)

Magnus_001 · ‎09-24-2015

Hi All,

I got it to work by adding a regex statement to the blacklist.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = SourceName="^Microsoft.*$"

Can I blacklist a SourceName on a Windows Security Log event using a Universal Forwarder?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!