I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).
Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.
The below obviously does not work.
blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2"
Yes it is case sensitive
try this one
blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s"
blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s"
blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s"
Or you can combine accounts by using pipe |.
Thank you. I didn't try exactly what you have there but ended up getting this to work earlier.
Does anyone know if these entries are case sensitive or not?
This seems to be a common misconception about filtering Windows Event log inputs. You can't use any field that you want as a key. Fields are not keys; in fact, fields do not exist at input time. You can find the list of keys in the docs here.
If the information that you want can be found in any of these keys, you can write a regular expression that matches. For example:
blacklist = EventCode="4663" Message="User|SERVER$|UserAccount1|UserAccount2"
Thank you. I was able to get something similar to work after posting this.
Does anyone know if these regex are case sensitive by default? I believe we can't follow the regex with /i to ignore case?