Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to blacklist specific accounts in Windows security log event 4663?

splunkbacon
Explorer
‎01-03-2017 06:47 AM

I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).

Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.

The below obviously does not work.

blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2"
0 Karma
Reply

lredij
Engager
‎03-08-2018 09:23 PM

Yes it is case sensitive
try this one
blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s"

blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s"

blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s"

Or you can combine accounts by using pipe |.

Reply

splunkbacon
Explorer
‎01-03-2017 11:11 AM

Thank you. I didn't try exactly what you have there but ended up getting this to work earlier.

blacklist= Message="Account\sName:\s+(account1|SYSTEM|account2|(Computername\$))"

Does anyone know if these entries are case sensitive or not?

0 Karma
Reply

lguinn2
Legend
‎01-03-2017 11:05 AM

This seems to be a common misconception about filtering Windows Event log inputs. You can't use any field that you want as a key. Fields are not keys; in fact, fields do not exist at input time. You can find the list of keys in the docs here.
If the information that you want can be found in any of these keys, you can write a regular expression that matches. For example:

blacklist = EventCode="4663" Message="User|SERVER$|UserAccount1|UserAccount2"
Reply

splunkbacon
Explorer
‎01-03-2017 11:12 AM

Thank you. I was able to get something similar to work after posting this.

Does anyone know if these regex are case sensitive by default? I believe we can't follow the regex with /i to ignore case?

0 Karma
Reply

lguinn2
Legend
‎01-03-2017 12:50 PM

Regular expressions are always case sensitive. Since Splunk uses PCRE, you should be able to make a regular expression case-INsensitive by putting (?i) at the beginning of the regex.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...