Getting Data In

Heavy Forwarder Pulling Windows events: blacklist not working

Explorer

Blacklists and suppress_text in Splunk 6.2.4 are not working for me on a heavy forwarder.

my inputs.conf is:

[script://$SPLUNKHOME\bin\scripts\splunk-wmi.path]
disabled = 0
blacklist = 5152-5158
suppress
text = 1
...

And I've also tried

[WMI:WinEventLog:Security]
blacklist = 5156-5158
disabled = false
suppress_text = 1

and many variations on the source. The blacklist and suppress_text are doing nothing. I still get firewall events I don't want to see.

Suggestions please.

0 Karma

Esteemed Legend

It would help if you posted the exact error log text but if it is as you are saying then my guess is that you are using an older version of splunk that does not support that blacklist format. I say this because the documentation for the latest version of Splunk clearly supports it:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Monitorwindowsdata#Use_the_Security_event_log...

Either that or you do not have a proper Heavy Forwarder binary installed (maybe Splunk makes the Universal/Light Forwarder treat incompatible settings as though they are nonsensical, which is what this log is saying).

0 Karma

Explorer

Well, you clearly missed that I was running 6.2.4. Unless there is a secret version, it clearly does not work with 6.2.4 and the Heavy Forwarder pulling the logs from the Windows systems and applying the blacklist rules. Something is wrong here.

0 Karma

Explorer

Restarting splunk in a command prompt: Invalid key stanza for the blacklist line

Well, now I know why its not working. It's being ignored.

Now how do I fix it?

0 Karma

Explorer

Added the Splunk for windows add-on. Ok blacklist stanza error is now gone. Blacklist in inputs.conf

is
[WinEventLog://Security]
blacklist = 5156-5158

Accepted, but not working. Logs come through. Suspect it's because I'm pulling via WMI and its bypassing the rule

0 Karma

Esteemed Legend

This looks all good to me (you do not need the disabled line at all, BTW); did you restart your Splunk instances on your Forwarders?

0 Karma

Explorer

That's just it: I'm using the Heavy Forwarder to pull the logs via WMI from the Windows machines. There are no other forwarders. It appears that when pulling from WMI only, blacklist and the suppress_text aren't available. I will see what the universal forwarder does in a bit.

Thanks for the comment though.

0 Karma