Getting Data In

Filter Windows EventCode using blacklist and Whitelist

sat94541
Communicator

I have installed Splunk Universal Forwarder Version 6.1.1 and Indexer also on 6.1.1. I am trying to understand the various option to filter EventCode with these version of Splunk. I think Splunk has introduced some new capability to have whitelist and black list in the Universal Forwarder input stanza .

nychawk
Communicator

Hello;

I am already collecting and forwarding all logs from my servers into WEC, WEC then whitelisting and resending into Splunk only the Security Events ID's I am interested in.

I would like to additionally resend into Splunk a "whitelisted" "System" logs, but only for "error" and "critical"; i.e., not EventID based as I am not sure what they are, plus do not wish to index informational garbage.

Does anyone know how to white-list based on level vs. ID?

Thank you in advance,

-mi

Michael
Contributor

FWIW, I tested multiple versions of all this, to no avail. I even read a Splunk blog that's often cited by similar questions... I love it when you read "accepted answers" for your questions, and docs, and blogs, and NONE of what they say work until you experiment on your own and stumble upon a solution, happens more times than I want to admit.

Here's what finally worked for me (your mileage may vary):

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="5156" Message="*"

Using a deployment server (6.5.1) and Universal Forwarders (6.5.1.). Don't know if all that other cruft is necessary, but it works for me. Oh, and make sure you don't have more than one [WinEventLog://Security] stanza.

rbal_splunk
Splunk Employee
Splunk Employee

Also tested

I just test this in my environment.
I have Windows Event Code = with details like following
An account was successfully logged on.

**

Subject:
    Security ID:        SYSTEM
    Account Name:       RBAL-W540$
    Account Domain:     SPLUNK
    Logon ID:       0x3e7
Logon Type:         7
New Logon:
    Security ID:        SPLUNK\rbal
    Account Name:       rbal
    Account Domain:     SPLUNK
    Logon ID:       0x89edb5c5
    Logon GUID:     {3d3aefbf-9375-dbcc-f004-cce3f3ddbbd3}
Process Information:
    Process ID:     0x358
    Process Name:       C:\Windows\System32\lsass.exe
Network Information:
    Workstation Name:   RBAL-W540
    Source Network Address: -

**

To filter such event I ad to add blacklist like
---------$SPLUNk_HOME/etc/system/local/inputs.conf----------
[WinEventLog://Security]
blacklist1=EventCode="4624" Message="Workstation Name:\s+.RBAL."

Note the “(quote) around the message and another around EventCode to be filteres.
In addition – I checked the regex that I wrote for Messages using -- http://regexr.com/v1/
And another thing to check will to ensure that blacklist to inputs need to be added – where data is ingested from.

Another thing to Watch out for is > if data is ingested on Universal Forwarder you need to add blacklist to input stanza on Splunk Universal Forwarder.
If the Data directly ingested from indexer in that case input with blacklist will go to indexer.

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

I needed to filter event code like the shown below where (Process Name: C:\Windows\System32\services.exe)

Subject:
    Security ID:        SYSTEM
    Account Name:       RBAL-T430S$
    Account Domain:     SPLUNK
    Logon ID:       0x3e7

Logon Type:         5

New Logon:
    Security ID:        SYSTEM
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3e7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x314
    Process Name:       C:\Windows\System32\services.exe

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

The following filter was used in inputs.conf of the forwarder and thsos worked well for me.

---UP ---
input has
[WinEventLog://Security]
blacklist1= Message="Process Name:\s+.*services.exe"

rbal_splunk
Splunk Employee
Splunk Employee

Here are some examples based on my test with Universal Forwarder -VERSION=6.1.3 and Index 6.2.1

** Test 1: Data For EventCode=4672 NOT Filtered**

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode=4672

Test 2: The EventCode 4672 was filtered out

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode=”4672”

** Test 3: Filter events code 4672 with any message:**

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode=”4672” Message="*"

Test 4: Another example to see if it will Filter events code 4672 with any message

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode=4672 Message="*"

Result :: Data NOT Filtered

Test 5: In the example below Eventcode 4672 with Message starting with “Special” got filtered.

[WinEventLog://Security]
disabled = 0
blacklist1=EventCode="4672" Message="Special*" >>>>> Data Filtered

Test 6: Here EventCode 4672 with Message starting with “Special” got filtered. In addition all event for code 4624 an 4648 also got filtered.

[WinEventLog://Security]
disabled = 0
blacklist1= EventCode="4672" Message="Special*"
blacklist2= 4624,4648

vsingla1
Communicator

I am trying to configure blacklist on my windows events similar to the Scenario that you have put in "Test 5" above.
Your blacklist:
[WinEventLog://Security]
disabled = 0
blacklist1=EventCode="4672" Message="Special*" >>>>> Data Filtered

My Blacklist:
[WinEventLog://Security]
disabled = 0
blacklist1=EventCode="4776" Message="0x0"

My Sample data is as below:
Event to be filtered:
02/04/201604:55:19 AM LogName=SecuritySourceName=Microsoft Windows security auditing. EventCode=4776EventType=0 Type=Information ComputerName=computer1 TaskCategory=Credential Validation OpCode=Info RecordNumber=18834479Keywords=Audit Success Message=The computer attemptedto validate thecredentials for anaccount. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: SPFARM Source Workstation: WCHWPF464Error Code: 0x0

Event not to be filtered:
02/04/201604:55:19 AM LogName=SecuritySourceName=Microsoft Windows security auditing. EventCode=4776EventType=0 Type=Information ComputerName=computer2 TaskCategory=Credential Validation OpCode=Info RecordNumber=18304483Keywords=Audit Failure Message=The computer attemptedto validate thecredentials for anaccount. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Source Workstation: Error Code: 0xc0000064

But following the example in "Test 5" use case, my filter does not work and instead it blacklists the entire events under EventCode=4776. Do you have any thoughts on this?

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

In 6.0 one could filter on just the event code on windows event log modular input. In 6.1 Splunk introduced a regular expression filtering capability. A good blog post can be found here: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

rbal_splunk
Splunk Employee
Splunk Employee

I have test using Splunk Universal Forwarder Version 6.1.1 and Splunk Indexer 6.1.1.

Test 1: On the Universal Forwarder added whitelist1 and only these EventCode got forwarded to Indexer.

[WinEventLog://Security]
whitelist1 = 5058,5061

Refer : http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Inputsconf and 9 whitelist can be specified.

Test 2: On the Universal Forwarder added blacklist1 and all the Eventcode blacklisted were filtered.

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1 = 1100,1101,4608,4616,4624,4634,4647,4648,4672,4731,4732,4733,4735,4902,4904,4905,4907,5024,5033,5038,5056,5058,5061

Refer : http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Inputsconf and 9 blacklist1 can be specified..

Test 3: The old tradition approach(Prior 6.1.1) still works worked where all the events on the Universal Forwarder are ingested and nullqueue filters is applied on Indexer to filter.

For example :

1)Add the following stanza to props.conf on indexer

[WinEventLog:Security]
TRANSFORMS-set = delete

2) Add the following stanza to transforms.conf on indexer
[delete]
REGEX = (.EventCode=1100.|.EventCode=1101.|.EventCode=4608.|.EventCode=4616.|.EventCode=4624.|.EventCode=4634.|.EventCode=4647.|.EventCode=4648.|.EventCode=4672.|.EventCode=4731.|.EventCode=4732.|.EventCode=4733.|.EventCode=4735.|.EventCode=4902.|.EventCode=4904.|.EventCode=4905.|.EventCode=4907.|.EventCode=5024.|.EventCode=5033.|.EventCode=5038.|.EventCode=5056.|.EventCode=5058.|.EventCode=5061.|.EventCode=6281.)
DEST_KEY=queue
FORMAT = nullQueue

All the EvnetCode listed were filtered and not indexed.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...