Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event4662: To blacklist $user name in Subject User name

PratikPashte
Explorer
‎09-27-2020 11:44 PM

Hello Team,

I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data.

Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud.

To do so I added below regex on the Splunk Application over Deployment Server,

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

The below regex completely works fine on Sample Data, 

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually.

Thanks & Regards,

Pratik Pashte

 

 

Labels (1)
Labels
0 Karma
Reply

PratikPashte
Explorer
‎10-01-2020 03:42 AM

Hi Giuseppe,

The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space.

 

So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This is my inputs.conf file,

 

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-01-2020 04:31 AM

Hi @PratikPashte,

check the regex using the regex command, remembering to escape special chars.

If you want an help, please share a message because I have an italian windows.

Ciao.

Giuseppe

0 Karma
Reply

PratikPashte
Explorer
‎10-01-2020 04:48 AM

Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-01-2020 04:57 AM

Hi @PratikPashte,

please share a sample of your logs.

Could you display your regex using the Code Sample button?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 12:23 AM

Hi @PratikPashte,

good idea if is working for you, only one hint: check that in the filtered data there isn't any interesting data, because using a filter as the one you described you don't index those events and you lose them.

I sow that sometimes in Windows logs there are more different User_Names in the same event.

Anyway, good for you, only for completeness: what's your real question?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...