Getting Data In

Error with blacklisting 4662 events in inputs.conf

aelliott
Motivator

When attempting to use the following suggestion on blacklisting 4662 events, I run into an error in splunkd.log

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

I have the UF 6.1.1 installed on my dc's.

Error:

07-15-2014 10:37:30.358 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

inputs.conf:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0 
start_from = oldest
current_only = 1
index = dclogs
maxKBps=0
evt_resolve_ad_obj = 0
evt_dc_name = localhost
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode=566 Message="Object Type:\s+(?!groupPolicyContainer)"
0 Karma

phirayam
Engager

I think that the regex is missing a pair of quotations. I think that the blacklist lines should look like:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

That would explain the error message with the 4 being picked up as a delimeter instead.

Ayn
Legend

Could you post relevant configs?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!