Getting Data In

Event4662: To blacklist $user name in Subject User name

PratikPashte
Explorer

Hello Team,

I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data.

Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud.

To do so I added below regex on the Splunk Application over Deployment Server,

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

The below regex completely works fine on Sample Data, 

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually.

Thanks & Regards,

Pratik Pashte

 

 

Labels (1)
0 Karma

PratikPashte
Explorer

Hi Giuseppe,

The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space.

 

So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This is my inputs.conf file,

 

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PratikPashte,

check the regex using the regex command, remembering to escape special chars.

If you want an help, please share a message because I have an italian windows.

Ciao.

Giuseppe

0 Karma

PratikPashte
Explorer

Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PratikPashte,

please share a sample of your logs.

Could you display your regex using the Code Sample button?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PratikPashte,

good idea if is working for you, only one hint: check that in the filtered data there isn't any interesting data, because using a filter as the one you described you don't index those events and you lose them.

I sow that sometimes in Windows logs there are more different User_Names in the same event.

Anyway, good for you, only for completeness: what's your real question?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...