Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me get blacklist WinEventLog Security to work?

dkeck
Influencer
‎01-28-2019 04:11 AM

Hi,

I tried to blacklist Windows event logs for EventCode and Message field content.

I can't figure out what's going wrong here.

My input, that was deployed to my universal forwarders ( I can see in internal that this happened for sure). App has "Restart Splunkd" and " Enable App" marked. Also checked with btool that the clients are picking up the conf changes.

[WinEventLog://Security]

blacklist1= EventCode="4627" Message="Account\sName:\s+\w+\$$"
blacklist2= EventCode="4661" Message="Account\sName:\s+\w+\$$"

I want to filter out EventCode 4627 and 4661 IF Account Name contains Names ending with $. Thats why I have $ twice. One for actually $ and one for end of line.

I am using Message as a key field, since in inputs.conf, it's stated that WinEventLogs needs certain key fields, within you can then extract your value.

The following keys are equivalent to
the fields that appear in the text of
the acquired events: * Category,
CategoryString, ComputerName,
EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType,
SourceName,TaskCategory, Type, User"

Regex101 is extracting properly.

I had a look in the _internal for blacklist1 and blacklist2 and for stanza WinEventLog://Security. No Error or Warm messages from clients.

I use this search index=myindex (EventCode="4661" OR EventCode="4627") Account_Name="*$" to test if there are still events coming. For now they are.

So If anyone has a good hint on how to do this, please let me know. I would appreciate specific answers (why your code should work not only the code itself). Thank you 🙂

Example Event for 4661

EventCode=4661

EventType=0

Type=Information

ComputerName=xxx

TaskCategory=SAM

OpCode=Info

RecordNumber=xxx

Keywords=Audit Success

Message=A handle to an object was requested.Subject :

    Security ID:        xxxx

    Account Name:        XXXXXX$
0 Karma
Reply

whrg
Motivator
‎01-28-2019 06:11 AM

Hello @dkeck,

I assume not all lines are shown in your example event. That is, the last line is not "Account Name: ..."

So I believe you need to enable multi line mode. That way, $ will match the end of the line instead of the whole text.

When you open regex101.com, you can see that multi line mode is enabled by default on regex101. When it comes to Splunk, you need to prefix the regex with (?m).

So I suggest you try something like this:

blacklist1 = EventCode="4627" Message="(?m)Account Name:\s+\w+\$$"
0 Karma
Reply

dkeck
Influencer
‎01-28-2019 06:14 AM

Thank you for your response. I will try that.

No its not the whole event, since win eventlog is pretty long.

But it continues like this:

Subject :
Security ID: xx
Account Name: XXXXXX$
Account Domain: XXXX
Logon ID: XXXX

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...