Getting Data In

How to blacklist Windows security events?

kpavan
Path Finder

Hi All,

We are running splunk-6.0.3-204106 version, now we are seeing high Splunk license usage from Windows Security events. So I would like to block these events. I tried below blacklist with ref blog but its not filtering any events. Please help me on how to fix this issue.

[WinEventLog:Security]
disabled = false
blacklist = 4720, 4722, 4723, 4724, 4725, 4726, 4719, 4734, 4735, 4737, 4897, 4738, 4782, 4749, 4625, 4771, 4624

Thanks!

Tags (3)
0 Karma

bgaignon
Path Finder

Hi,
I guess you used this post to help: http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

It looks correct.

  • Did you push this config on your Indexer AND Forwarder ?
  • Did you restart your servers ?
  • Do you have another stanza about WinEventLog that can overwrite this one ?
0 Karma

bgaignon
Path Finder

If you want to block a specific IP or a host you can also use the nullqueue instead of blacklist.
It simple to configure: http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

0 Karma

bgaignon
Path Finder

Hum I can't help on this specific need sorry.

My only solution is: Deployment Server
I would create an application with the stanza that blacklist EventCodes. Then use the deployment feature of Splunk to push this application on all my forwarders.
You need a licence to create a deployment server

Doc: http://docs.splunk.com/Documentation/Splunk/6.1.3/Updating/Extendedexampledeployseveralstandardforwa...
http://wiki.splunk.com/Deploy:DeploymentServer

0 Karma

kpavan
Path Finder

Hi,

We have UF installed all 300 servers and all the 300 windows serves are sending the security logs, so now i wanted to put a blacklist on indexer to block the all the logs which are coming. Since configuring on all the UF will be time consuming. Please suggest me with configurations how can achieve this task.

And also help me, if I want to block the specific IP can I block on indexer?

Thanks!

0 Karma

bgaignon
Path Finder

So you don't have any forwarder on your 300 hosts?

If you have a distributed environment and a forwarder on every host, you can easily create a configuration to push on all your hosts using serverclass.conf.

If you receive your data directly on a port (like 9997), it works the same way: In your stanza that applies just add the blacklist feature.

Is it helpful?

0 Karma

kpavan
Path Finder

Hi,

Sorry for the delay in response!

Yes, I have configured on indexer server. Now I got to know this configure works on Universal forwarder only. Sorry for my mistake.

Could you please let me know how to block from indexer level, because I have 300+ host's sending the logs to splunk and it is eating my license very much.

Please help me on this issue.

Thanks in advance!

0 Karma

ppablo
Retired

Hi @kpavan

Correct me if I'm wrong, but from your post and this most recent comment, it sounds like you only configured inputs.conf on the indexer? I read through the comments thread on that blog and the writer states in the 2nd to last comment that this configuration works on the forwarder.

0 Karma

kpavan
Path Finder

Hi,

I did configured on indexer inputs.conf and restarted the servers as well. And there are no stanza in indexer to overwrite this one.

i just have below configs in indexer, is there any mistake in my configs.

[default]
host = splunk-index-dev-1

[WinEventLog:System]
disabled = false
blacklist = 7036

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...