Error with blacklisting 4662 events in inputs.conf

aelliott · ‎07-15-2014

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

I have the UF 6.1.1 installed on my dc's.

Error:

07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

inputs.conf:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0 
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"

phirayam · ‎07-31-2014

I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

That would explain the error message with the 4 being picked up as a delimeter instead.

Ayn · ‎07-15-2014

Could you post relevant configs?

Error with blacklisting 4662 events in inputs.conf

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Error with blacklisting 4662 events in inputs.conf

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!