Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to blacklist events for a specific event code and task category?

nmohammed
Builder
‎07-13-2018 11:52 AM

Trying to blacklist specific windows event logs based on event code and task category, but doesn't work .

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winevents
renderXml=false
blacklist1=EventCode="5145" TaskCategory="(Detailed File Share|File Share)"

Example event - 

07/13/2018 11:22:01 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=SomeServer
TaskCategory=File Share
OpCode=Info
RecordNumber=5487448804
Keywords=Audit Success
Message=A network share object was accessed.

Subject:
    Security ID:        S-1-5-21-xxxxxxxxx-xxxxxx-xxxxxx-xxxx
    Account Name:       cz9_rmc_s3_CIFS$
    Account Domain:     domain
    Logon ID:       0x3D9AC95C1

Network Information:    
    Object Type:        File
    Source Address:     10.xxx.xx.xxx
    Source Port:        45088

Share Information:
    Share Name:     \\*\IPC$
    Share Path:     

Access Request Information:
    Access Mask:        0x1
    Accesses:       ReadData (or ListDirectory)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-13-2018 11:59 AM

try this

blacklist=EventCode=%^5145$% TaskCategory=%(Detailed File Share|File Share)%

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-13-2018 12:11 PM

Try using just blacklist instead of blacklist1. You can have upto 10 blacklist filters applied but it should start with blacklist, blacklist1, blacklist2...etc till blacklist9.

0 Karma
Reply
Solved! Jump to solution

nmohammed
Builder
‎07-13-2018 03:36 PM

Tried this -

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = winevents
renderXml=false
blacklist1=EventCode="5145" TaskCategory="Detailed File Share"
blacklist1=EventCode="5145" TaskCategory="File Share"

Did not work. Still see the events come in.

0 Karma
Reply
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-13-2018 11:59 AM

try this

blacklist=EventCode=%^5145$% TaskCategory=%(Detailed File Share|File Share)%

Reply
Solved! Jump to solution

gurulee
Explorer
‎08-07-2020 02:17 PM

Thank you for sharing. I found this helpful.

0 Karma
Reply
Solved! Jump to solution

nmohammed
Builder
‎07-13-2018 04:33 PM

Actually this worked. I had two different EventCodes sending the Same Category.

Thanks @CarsonZa

Reply
Solved! Jump to solution

nmohammed
Builder
‎07-13-2018 03:37 PM

Thanks , I tried it as well.. Did not work , still see the events come in.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...