Solved: Filtering on WinEvent IDs

thekevinkalis

Hi all, sorry if this has been asked before, but my initial searches haven't turned up anything.

I'm fairly new to Splunk so just finding my way.

I'm trying to add Windows Firewall events to a Splunk instance with a Universal Forwarder, but I'm trying to filter some of the noise from the specific event - specifically the Unicast messages are of no interest to me.

So I've tried simply creating a blacklist in my inputs.conf

blacklist4 = EventCode="5152" Protocol="17"

However, this doesn't work, and simply allows all those events through.

From what I've been able to find, I can't quite figure out how I need to create the blacklist to block only those specific events.

Any help would be most appreciated.

PickleRick

As I said, I know it's confusing 😉

OK. We established you're using the traditional text format for your events (which is a bit obsoleted by now and XML is the recommended one; but that's another story).

So if you create a blacklist entry of

Message="Protocol = 17"

your message field in the event must contain exactly this string. Including this specific combination of spaces around the equal sign. I suppose your real data doesn't have it.

You might try

Message="Protocol\s*=\s*17"

or

Message="Protocol=17"

I don't know your raw data (and my Windows boxes don't log this kind of events) so can't gelp you with this particular case but you must match the part after Message= to the actual contents of your event. I'm not sure if you will have Protocol=17 in your data or Protocol: 17 or something else. Don't know your data.

View solution in original post

thekevinkalis

@PickleRick thanks, I think that's done it, I've changed the message part of the blacklist with that bit of regex you suggested, and have it working now. Now I can get round to some fine tuning.

As a side note, to anyone who might come across this: My original (non working) text didn't contain a ":" as it was used in the source message. Once I corrected it to match, it started working. So it turned out as:

blacklist4 = EventCode="5152" Message="Protocol:\s*17"

PickleRick

Yes, this has been asked quite a lot before but also - yes, it is confusing.

1. You can use the key=*regex* form for matching only specific keys. They are explicitly listed in the docs.

# Valid keys for the key=regex format:

* The following keys are equivalent to the fields that appear in the text of
  the acquired events:
  * Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
    LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
    TaskCategory, Type, User
* There are three special keys that do not appear literally in the event.
  * $TimeGenerated: The time that the computer generated the event
  * $Timestamp: The time that the event was received and recorded by the
                Event Log service.
  * $XmlRegex: Use this key for filtering when you render Windows Event
    log events in XML by setting the 'renderXml' setting to "true". Search
    the Splunk platform Getting Data In Manual for "Filter data in XML format 
    with the XmlRegex key" for details.

That means that you can't filter on "Protocol=#17#".

2. You could do by matching

Message=#Protocol=17#

or something like that. But

3. Whether you match this way or with $XmlRegex key depends on whether you're ingesting your data in the traditional way or as XML.

thekevinkalis

@PickleRick thanks for responding, however reading those docs are confusing as hell, and I feel like I know even less now.

Could you possible dumb it down (even further) for me? I have RenderXml set to "False"

This is the part of my "inputs.conf" I'm looking at, specifically the "blacklist4" line is causing major frustration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
key=*regex*
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = 4624,4634,4648,4719,4798,4799,5379,5381,5382,4985,4663,4672
blacklist4 = EventCode="5152" Message="Protocol = 17"
renderXml = false

I've already tried a bunch of different formatting for the message part. As soon as I omit it, the events are blocked, but I can't get that filter to do what I want.

PickleRick

As I said, I know it's confusing 😉

OK. We established you're using the traditional text format for your events (which is a bit obsoleted by now and XML is the recommended one; but that's another story).

So if you create a blacklist entry of

Message="Protocol = 17"

your message field in the event must contain exactly this string. Including this specific combination of spaces around the equal sign. I suppose your real data doesn't have it.

You might try

Message="Protocol\s*=\s*17"

or

Message="Protocol=17"

I don't know your raw data (and my Windows boxes don't log this kind of events) so can't gelp you with this particular case but you must match the part after Message= to the actual contents of your event. I'm not sure if you will have Protocol=17 in your data or Protocol: 17 or something else. Don't know your data.

Filtering on WinEvent IDs

inputs.conf

universal forwarder

Windows

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?