Getting Data In

Event4662: To blacklist $user name in Subject User name

PratikPashte
Explorer

Hello Team,

I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data.

Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud.

To do so I added below regex on the Splunk Application over Deployment Server,

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

The below regex completely works fine on Sample Data, 

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually.

Thanks & Regards,

Pratik Pashte

 

 

Labels (1)
0 Karma

PratikPashte
Explorer

Hi Giuseppe,

The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space.

 

So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This is my inputs.conf file,

 

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

0 Karma

gcusello
Esteemed Legend

Hi @PratikPashte,

check the regex using the regex command, remembering to escape special chars.

If you want an help, please share a message because I have an italian windows.

Ciao.

Giuseppe

0 Karma

PratikPashte
Explorer

Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

 

 

0 Karma

gcusello
Esteemed Legend

Hi @PratikPashte,

please share a sample of your logs.

Could you display your regex using the Code Sample button?

Ciao.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @PratikPashte,

good idea if is working for you, only one hint: check that in the filtered data there isn't any interesting data, because using a filter as the one you described you don't index those events and you lose them.

I sow that sometimes in Windows logs there are more different User_Names in the same event.

Anyway, good for you, only for completeness: what's your real question?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...