Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to blacklist specific accounts in Windows security log event 4663?

splunkbacon
Explorer
‎01-03-2017 06:47 AM

I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).

Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.

The below obviously does not work.

blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2"
0 Karma
Reply

lredij
Engager
‎03-08-2018 09:23 PM

Yes it is case sensitive
try this one
blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s"

blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s"

blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s"

Or you can combine accounts by using pipe |.

Reply

splunkbacon
Explorer
‎01-03-2017 11:11 AM

Thank you. I didn't try exactly what you have there but ended up getting this to work earlier.

blacklist= Message="Account\sName:\s+(account1|SYSTEM|account2|(Computername\$))"

Does anyone know if these entries are case sensitive or not?

0 Karma
Reply

lguinn2
Legend
‎01-03-2017 11:05 AM

This seems to be a common misconception about filtering Windows Event log inputs. You can't use any field that you want as a key. Fields are not keys; in fact, fields do not exist at input time. You can find the list of keys in the docs here.
If the information that you want can be found in any of these keys, you can write a regular expression that matches. For example:

blacklist = EventCode="4663" Message="User|SERVER$|UserAccount1|UserAccount2"
Reply

splunkbacon
Explorer
‎01-03-2017 11:12 AM

Thank you. I was able to get something similar to work after posting this.

Does anyone know if these regex are case sensitive by default? I believe we can't follow the regex with /i to ignore case?

0 Karma
Reply

lguinn2
Legend
‎01-03-2017 12:50 PM

Regular expressions are always case sensitive. Since Splunk uses PCRE, you should be able to make a regular expression case-INsensitive by putting (?i) at the beginning of the regex.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...