Getting Data In

How to blacklist Windows Security Event Logs 4689 and 4688 on a universal forwarder?

Engager

Trying to blacklist Windows Events 4688 and 4689 that come from the Splunk Universal Forwarder, I've checked the regex and it looks right according to http://regexr.com/. I've looked through many of the different links and haven't seen anyone doing this specifically. Has anyone else had any luck with this?

Thanks in advance for your help.

My config file for the app looks like this:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
index= wineventlog
blacklist = 5156,5158,4656
blacklist1 = EventCode="4689" Message="Process Name:.*SplunkUniversalForwarder"

Sample Event

08/25/2015 11:15:35 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=XXXXXXXX.com
TaskCategory=Process Creation
OpCode=Info
RecordNumber=60854906
Keywords=Audit Success
Message=A new process has been created.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       XXXXX$
    Account Domain:     XXXXX
    Logon ID:       0x3e7

Process Information:
    New Process ID:     0x808
    New Process Name:   C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
    Token Elevation Type:   TokenElevationTypeDefault (1)
    Creator Process ID: 0x12e8
    Process Command Line:   

Explorer

Why don't you make a new blacklist for each of those events then? Something like the following:
blacklist2 = EventCode="4688"
blacklist3 = EventCode="4689"

0 Karma

Path Finder

Here is how to filter from windows eventlogs from 6.4.2 inputs.conf.spec.

EventLog filtering

Filtering at the input layer is desirable to reduce the total processing load

in network transfer and computation on the Splunk nodes acquiring and

processing the data.

whitelist = | key=regex [key=regex]
blacklist = | key=regex [key=regex]

whitelist1 = | key=regex [key=regex]
blacklist1 = | key=regex [key=regex]
blacklist2 = | key=regex [key=regex]

  • These settings are optional.
  • Both numbered and unnumbered whitelists and blacklists support two formats: A
    comma-separated list of event IDs and a list of key=regular expression pairs.

  • These two formats cannot be combined, only one may be used in a specific line.

  • Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
    whitelist9 and blacklist1 through blacklist9 are supported.

  • If no white or blacklist rules are present, all events will be read.

Formats:

  • Event ID list format:

    • A comma-seperated list of terms.
    • Terms may be a single event ID (e.g. 6) or range of event IDs (e.g. 100-200)
    • Example: 4,5,7,100-200
    • This would apply to events with IDs 4, 5, 7, or any event ID between 100 and 200, inclusive.
    • Provides no additional functionality over the key=regex format, but may be easier to understand than the equivalent: List format: 4,5,7,100-200 Regex equivalent: EventCode=%^(4|5|7|1..|200)$%
  • key=regex format

    • A whitespace-separated list of event log components to match, and regexes to match against against them.
    • There can be one match expression or multiple per line.
    • The key must belong to the set of valid keys provided below.
    • The regex consists of a leading delimiter, the regex expression, and a trailing delimeter. Examples: %regex%, regex, "regex"
    • When multiple match expressions are present, they are treated as a logical AND. In other words, all expressions must match for the line to apply to the event.
    • If the value represented by the key does not exist, it is not considered a match, regardless of the regex.
    • Example: whitelist = EventCode=%^200$% User=%jrodman% Include events only if they have EventCode 200 and relate to User jrodman

Valid keys for the regex format:

  • The following keys are equivalent to the fields which appear in the text of the acquired events: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User
  • There are two special keys that do not appear literally in the event.
    • $TimeGenerated : The time that the computer generated the event
    • $Timestamp: The time that the event was received and recorded by the Event Log service.
  • EventType is only available on Server 2003 / XP and earlier
  • Type is only available on Server 2008 / Vista and later
  • For a more full definition of these keys, see the web documentation:
0 Karma

Explorer

Here's how I filtered out the splunk events for event code 4688
blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk)"
blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:splunk-netmon.exe)"

Motivator

If the title of the question is correct "on a universal forwarder", then you can't. To filter data, using those configs, before sending it to a indexer you need a heavy forwarder. If you still want to keep the universal forwarder, you need to apply those configs in the indexer instead.
More on forwarder types from docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Forwarding/Typesofforwarders

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Not true in versions 6 and up. The UFs are becoming more and more powerful to help filter out unwanted data before it gets to the indexers.

0 Karma

Motivator

You sure? At least in the link i provided from docs in the forwarder comparison chart it states that UFs can't do Per-event filtering, Event routing or Event parsing.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Positive. EventLog filtering is a Windows-only configuration. That table you reference also has Light Forwarders, which in most practical instances, are not used any more. The "Per-Event Filtering" is probably a generalized statement as it only applies to "Windows Event Logs" only. Any other file, monitor, script, etc will not be filtered like the Windows Event Logs.

Check my link for inputs.conf, and see this section in the docs:

###
# Windows Event Log Monitor
###

Motivator

Nice. Also just found this article.
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

If you have more than one blacklist, you must number them all, starting at 1.

blacklist1 = 5156,5158,4656
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "regex" used, is not normal regex. Try this, and let me know how it goes.

Here's the doc:

http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/inputsconf

0 Karma

Engager

This is event ID 4688 where the Process Information lists it as "New Process Name", in the 4689 event ID, it lists it as Process Name, so the regex should be right.

0 Karma