Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Heavy Forwarder Pulling Windows events: blacklist not working

klutzen
Explorer
‎08-05-2015 02:29 PM

Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder.

my inputs.conf is:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
blacklist = 5152-5158
suppress_text = 1
...

And I've also tried

[WMI:WinEventLog:Security]
blacklist = 5156-5158
disabled = false
suppress_text = 1

and many variations on the source. The blacklist and suppress_text are doing nothing. I still get firewall events I don't want to see.

Suggestions please.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-05-2015 07:32 PM

It would help if you posted the exact error log text but if it is as you are saying then my guess is that you are using an older version of splunk that does not support that blacklist format. I say this because the documentation for the latest version of Splunk clearly supports it:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Monitorwindowsdata#Use_the_Security_event_log...

Either that or you do not have a proper Heavy Forwarder binary installed (maybe Splunk makes the Universal/Light Forwarder treat incompatible settings as though they are nonsensical, which is what this log is saying).

0 Karma
Reply

klutzen
Explorer
‎08-05-2015 09:38 PM

Well, you clearly missed that I was running 6.2.4. Unless there is a secret version, it clearly does not work with 6.2.4 and the Heavy Forwarder pulling the logs from the Windows systems and applying the blacklist rules. Something is wrong here.

0 Karma
Reply

klutzen
Explorer
‎08-05-2015 04:31 PM

Restarting splunk in a command prompt: Invalid key stanza for the blacklist line

Well, now I know why its not working. It's being ignored.

Now how do I fix it?

0 Karma
Reply

klutzen
Explorer
‎08-05-2015 05:13 PM

Added the Splunk for windows add-on. Ok blacklist stanza error is now gone. Blacklist in inputs.conf

is
[WinEventLog://Security]
blacklist = 5156-5158

Accepted, but not working. Logs come through. Suspect it's because I'm pulling via WMI and its bypassing the rule

0 Karma
Reply

woodcock
Esteemed Legend
‎08-05-2015 03:25 PM

This looks all good to me (you do not need the disabled line at all, BTW); did you restart your Splunk instances on your Forwarders?

0 Karma
Reply

klutzen
Explorer
‎08-05-2015 03:38 PM

That's just it: I'm using the Heavy Forwarder to pull the logs via WMI from the Windows machines. There are no other forwarders. It appears that when pulling from WMI only, blacklist and the suppress_text aren't available. I will see what the universal forwarder does in a bit.

Thanks for the comment though.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...