Trying to blacklist Windows Events 4688 and 4689 that come from the Splunk Universal Forwarder, I've checked the regex and it looks right according to http://regexr.com/. I've looked through many of the different links and haven't seen anyone doing this specifically. Has anyone else had any luck with this?
Thanks in advance for your help.
My config file for the app looks like this:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 index= wineventlog blacklist = 5156,5158,4656 blacklist1 = EventCode="4689" Message="Process Name:.*SplunkUniversalForwarder"
08/25/2015 11:15:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=XXXXXXXX.com TaskCategory=Process Creation OpCode=Info RecordNumber=60854906 Keywords=Audit Success Message=A new process has been created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: XXXXX$ Account Domain: XXXXX Logon ID: 0x3e7 Process Information: New Process ID: 0x808 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x12e8 Process Command Line:
Here is how to filter from windows eventlogs from 6.4.2 inputs.conf.spec.
whitelist = | key=regex [key=regex]
blacklist = | key=regex [key=regex]
whitelist1 = | key=regex [key=regex]
blacklist1 = | key=regex [key=regex]
blacklist2 = | key=regex [key=regex]
Both numbered and unnumbered whitelists and blacklists support two formats: A
comma-separated list of event IDs and a list of key=regular expression pairs.
These two formats cannot be combined, only one may be used in a specific line.
Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
whitelist9 and blacklist1 through blacklist9 are supported.
If no white or blacklist rules are present, all events will be read.
Event ID list format:
Here's how I filtered out the splunk events for event code 4688
blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk)"
blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk-netmon.exe)"
If the title of the question is correct "on a universal forwarder", then you can't. To filter data, using those configs, before sending it to a indexer you need a heavy forwarder. If you still want to keep the universal forwarder, you need to apply those configs in the indexer instead.
More on forwarder types from docs:
You sure? At least in the link i provided from docs in the forwarder comparison chart it states that UFs can't do Per-event filtering, Event routing or Event parsing.
Positive. EventLog filtering is a Windows-only configuration. That table you reference also has Light Forwarders, which in most practical instances, are not used any more. The "Per-Event Filtering" is probably a generalized statement as it only applies to "Windows Event Logs" only. Any other file, monitor, script, etc will not be filtered like the Windows Event Logs.
Check my link for inputs.conf, and see this section in the docs:
### # Windows Event Log Monitor ###
Nice. Also just found this article.
If you have more than one blacklist, you must number them all, starting at 1.
blacklist1 = 5156,5158,4656 blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%
Additionally, the "regex" used, is not normal regex. Try this, and let me know how it goes.
Here's the doc: