Getting Data In

How do I blacklist Logon Type 3 and Account Names in Windows Security logs?

CaptainHook
Communicator

I am working with a customer that is trying to narrow down their Windows Security logs. They would like to isolate the Event Code to only 4732,4624, while excluding Logon Type "3" and the list of Account Names. This stanza does not seem to be working and I was hoping someone might be able to assist with either cleaning it up or suggesting a better solution.

[WinEventLog://Security] 
whitelist1 = 4732,4624
disabled = 0 
followTail = 0
index = xxxxx
ignoreOlderThan = 2d
sourcetype=xxxx_wineventlog_sec
blacklist1 = Message="Logon\sType:\s+(3|(\w+\$))"
blacklist2 = Message="Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$))"

Thank you.

0 Karma
1 Solution

CaptainHook
Communicator

This is the configuration that I have been able to get working. I appreciate all the assistance as this literally came down to trial and error.

whitelist1 = 4732,4624
blacklist = Message="Logon\sType:\t+3"
blacklist1 = Message="Account\sName:\t+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible)"

Thank you.

View solution in original post

CaptainHook
Communicator

This is the configuration that I have been able to get working. I appreciate all the assistance as this literally came down to trial and error.

whitelist1 = 4732,4624
blacklist = Message="Logon\sType:\t+3"
blacklist1 = Message="Account\sName:\t+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible)"

Thank you.

sloshburch
Splunk Employee
Splunk Employee

I think the issue is that the Message field contains more than just the Logon or the Account Name. If there's other stuff in the Message then I think you need to say that in the regex:

 blacklist1 = Message=".*Logon\sType:\s+(3|(\w+\$)).*"
 blacklist2 = Message=".*Account\sName:\s+(srvcy*|potalogp|micsperf|sssa|srvHPOM|srvc2cansible|(\w+\$)).*"

See the .* before and after?

0 Karma

CaptainHook
Communicator

Sorry for the delayed response...
This is not working either; I am starting to think this may need to be handled from another approach. The whitelist for !=LogonType 3 sounds interesting, but I am not certain on how to write that in. Any suggestions there? Thank you.

0 Karma

sloshburch
Splunk Employee
Splunk Employee
0 Karma

maciep
Champion

In which way is not working? Is neither filter working? Or one but not the other?

I'm not sure if/how relevant, but the documentation mentions putting delimiters around the regex expression.

* key=regex format
  * A whitespace-separated list of event log components to match, and
    regexes to match against against them.
  * There can be one match expression or multiple per line.
  * The key must belong to the set of valid keys provided below.
  * The regex consists of a leading delimiter, the regex expression, and a
    trailing delimeter. Examples: %regex%, *regex*, "regex"
  * When multiple match expressions are present, they are treated as a
    logical AND.  In other words, all expressions must match for the line to
    apply to the event.
  * If the value represented by the key does not exist, it is not considered
    a match, regardless of the regex.
  * Example:
    whitelist = EventCode=%^200$% User=%jrodman%
    Include events only if they have EventCode 200 and relate to User jrodman

fulldanad
Path Finder

This was the trick for me : 

it worked when I added % arround my regex like follow : %<Data Name='LogonType'>3<\/Data>%

0 Karma

CaptainHook
Communicator

It seems as if the filter for the logon type and the Account name work separately, but together they do not.

0 Karma

maciep
Champion

I think I misread the documentation, so you can ignore the comment about them being AND'd together. I think that is only if multiple expression in one blacklist entry.

0 Karma

maciep
Champion

The documentation does say that they would be AND'd together. So if both blacklist entries are there, are Logon Type 3 events excluded for those particular users? That's the way I think it would work.

Not sure what the solution would be, maybe find a way to whitelist one of those conditions instead? For example, whitelist any Messages that don't equal Logon Type 3?

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...