I see this type of question has been asked several times, however I haven't been able to find the answer to my situation.
I need to have the below eventcode, computername and user added to the overall blacklist so it stops sending results up to Splunk.
I have added the below line to my inputs.conf file:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name"
and that works as it will block all 4625 events from that specific computer name, however it works to well, i need to further narrow the filter to also include where user="User". When i add that:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" user="User"
The filter stops filtering out anything and once again all 4625 events are being sent up to Splunk.
Any help on how to get this accomplished is greatly appreciated.
Are you trying to blacklist it based on the Security ID or Account Name in the "Message" field content?
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: {USER_NAME}
This isn't parsed by the forwarder, it's only sent as the "Message" field. You'll have to use regex against the Message field to filter on those values.
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account Name:\s+{ACCOUNT_TO_BLACKLIST}"
The one issue to be aware of is that in 4624/4625 the "Account Name:" can be defined a bit differently based on logon type. You may want to be specific with your regex to avoid accidentally blacklisting an event you want to see:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Logon Type:\s+2\s.*Account Name:\s+{ACCOUNT_TO_BLACKLIST}\s+"
blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s"
In windows events, there are lot many spaces, which we need to tackle.
Are you trying to blacklist it based on the Security ID or Account Name in the "Message" field content?
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: {USER_NAME}
This isn't parsed by the forwarder, it's only sent as the "Message" field. You'll have to use regex against the Message field to filter on those values.
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account Name:\s+{ACCOUNT_TO_BLACKLIST}"
The one issue to be aware of is that in 4624/4625 the "Account Name:" can be defined a bit differently based on logon type. You may want to be specific with your regex to avoid accidentally blacklisting an event you want to see:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Logon Type:\s+2\s.*Account Name:\s+{ACCOUNT_TO_BLACKLIST}\s+"
Thank you for all of that, after following your suggestion, I discovered that there were actually 2 tabs between Account Name: and my key word User, so by simply adding a /t/t it was able to then find what I wanted and add them to the black list.
Thanks again for your help!
Thank You for the idea. It does not read, because of additional spaces
blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s"
@ebuehne - Glad you were able to find the solution with wenthold's help. Please don't forget to "Accept" the answer to close out your question and upvote anything that was helpful. Thanks.
wenthold - I inserted the below line however it did not block any of those events:
blacklist5 = EventCode="4625" ComputerName="server-name" Message="Logon Type:\s+2\s.*Account Name:\s+{User}\s+"
When I remove the requirement looking for "User", the blocking works awesome, but it blocks more than what we want:
blacklist5 = EventCode="4625" ComputerName="server-name"
Again, what we are wanting to do is block all of that event code from that server that has a user name of "User" - yes the user name is actually called "User"
When you look at the events themselves, you'll see the standard entries:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=THIS_COMPUTER.net.internal
TaskCategory=Logoff
OpCode=Info
RecordNumber=114782234
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NB\THAT_COMPUTER$
Account Name: THAT_COMPUTER$
Account Domain: NB
Logon ID: 0x111222EDF
Logon Type: 3
The only fields you can blacklist at the forwarder are the key/value ones - LogName, SourceName, EventCode, etc. You can't blacklist the "User" field because it's part of the Message field and it doesn't get extracted at this point. You have to do the blacklist using regex against the entire "Message" field since "user" isn't one of the key/value pairs in the source log. That doesn't get extracted until later. You may want to start with a simple regex, then as you get it working make it more specific. If the events you're trying to blacklist have this in the first part of the message field:
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user.account
Account Domain: NB
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
the issue is that you probably want to get to that second "Account Name" field, which should match the "User" field you're trying to blacklist - correct?
wenthold - Thank you for your response, I put the below in however it is still not preventing those events:
blacklist5 = EventCode="4625" ComputerName="server-name" Message="Account Name:\s+{User}"
Again, when I use this it works, but works to well:
blacklist5 = EventCode="4625" ComputerName="server-name"
I only want to block that event code from that server when the user name = "User" ****** Yes, the user name I want blocked is actually called "User"
Any other ideas?
Hello there @ebuehne
What happen if you add another blacklist that only filters users, like this:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name"
blacklist6 = User="specific-user"
Having those on separate lines would create 2 independent blacklist, each blocking all instances which is not the end result we are looking for. We need all eventcode 4625 from the specific server and specific user to get blocked
Try this blacklists
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account\sName: \s+specific-user-name"
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="specific-user-name"