Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event4662: To blacklist $user name in Subject User name

PratikPashte
Explorer
‎09-27-2020 11:44 PM

Hello Team,

I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data.

Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud.

To do so I added below regex on the Splunk Application over Deployment Server,

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

The below regex completely works fine on Sample Data, 

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually.

Thanks & Regards,

Pratik Pashte

 

 

Labels (1)
Labels
0 Karma
Reply

PratikPashte
Explorer
‎10-01-2020 03:42 AM

Hi Giuseppe,

The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space.

 

So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

This is my inputs.conf file,

 

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
renderXml=true
index = DC_Events

 

0 Karma
Reply

gcusello
Esteemed Legend
‎10-01-2020 04:31 AM

Hi @PratikPashte,

check the regex using the regex command, remembering to escape special chars.

If you want an help, please share a message because I have an italian windows.

Ciao.

Giuseppe

0 Karma
Reply

PratikPashte
Explorer
‎10-01-2020 04:48 AM

Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex.

blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"

 

 

0 Karma
Reply

gcusello
Esteemed Legend
‎10-01-2020 04:57 AM

Hi @PratikPashte,

please share a sample of your logs.

Could you display your regex using the Code Sample button?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
Esteemed Legend
‎09-28-2020 12:23 AM

Hi @PratikPashte,

good idea if is working for you, only one hint: check that in the filtered data there isn't any interesting data, because using a filter as the one you described you don't index those events and you lose them.

I sow that sometimes in Windows logs there are more different User_Names in the same event.

Anyway, good for you, only for completeness: what's your real question?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...