Getting Data In

How can I further edit inputs.conf in order to blacklist an event on Windows forwarder?

Path Finder

Hi,

I am tired of making this filter work but unfortunately nothing worked.
I have Windows Security events where there are two places where "Account Name" field appears .

For ex (one under "Subject" and one under "New Logon" section):

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=comp-1
TaskCategory=Logon
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        XYZ\name1$
    Account Name:       name1$
    Account Domain:     XYZ
    Logon ID:       0xxxxxx
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   xyz
    Source Network Address: x.x.x.x
    Source Port:        60000

I want to filter any event that has a "$" character in the SECOND Account Name field because sometimes the first "Account Name" is empty and that's why I don't really care about that one.

Hence tried following on Win Universal Forwarder's inputs.conf:

#filtering win logs logis within the servers.
[WinEventLog://Security]
disabled = 0
index = test
sourcetype = win
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:\s*((.|\n)*)Account Name:\s+(.*\$)"
blacklist5 = Message="Account Name:[\s]*(HealthMailbox.*)"

The blacklist4 is the one I am trying to make work, to filter events with "$" sign in second "Account Name" field, but it doesn't work.
I am pretty sure that the regex is correct as when I tried the same regex in other online regex checkers against the above event, it matches.
Hence thinking, is there any special regex language that Splunk uses and hence the above regex won't work?

Any help appreciated.

Thanks,
Fatema.

0 Karma

Path Finder

I have the same problem but struggle to find any clear answers from official splunk support or from splunk answers.

Surely someone out there has needed to do exactly this and succeed. Would love to know how to do this.

0 Karma