Re: Error with blacklisting 4662 events in inputs....

aelliott · ‎07-15-2014

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

I have the UF 6.1.1 installed on my dc's.

Error:

07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

inputs.conf:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0 
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"

phirayam · ‎07-31-2014

I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

That would explain the error message with the 4 being picked up as a delimeter instead.

Ayn · ‎07-15-2014

Could you post relevant configs?

Error with blacklisting 4662 events in inputs.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!