Hi everyone,
I need to filter these events, but remove events related to RdrCEF.exe
How to create an exception in inputs.conf with this Full File Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe T
Today my inputs.conf is:
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
index = test1
start_from = oldest
renderXml = 1
whitelist = 8000, 8004, 8007, 8008, 8029, 8032, 8035, 8036, 8040
blacklist1 = EventCode = "^8004$" Message = "\%PROGRAMFILES\%\\ADOBE\\ACROBAT\sREADER\sDC\\READER\\ACROCEF_1\\RDRCEF\.EXE"
blacklist2 = EventCode = "^8004$" Message = "\%PROGRAMFILES\%\\ADOBE\\ACROBAT\sREADER\sDC\\READER\\ACROCEF_1\\RDRCEF\.EXE"
blacklist3 = EventCode = "^8004$" Message = "\\RDRCEF\.EXE"
blacklist4 = EventCode = "^8004$" Message = "*\\RDRCEF\.EXE"
_TCP_ROUTING = test
@RenanMarcelino - Try blacklist like this:
blacklist5 = EventCode = "^8004$" Message = ".*\\Adobe\\Acrobat Reader DC\\Reader\\acrocef_1\\RdrCEF.exe.*"
I don't think you need any of your blacklist.
I hope this helps!! Kindly upvote if it does!!!
@VatsalJagani , thanks for the reply.
I have the situation where my log is upper case in some cases and lower case in others, example:
%PROGRAMFILES%\ADOBE\ACROBAT READER DC\READER\ACROCEF_1\RDRCEF.EXE
%Program Files%\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.EXE
How do I put it in the regular expression to not be case sensitive? I'm testing via regex101, but I don't know which language.
This is how the FullFilePath arrives in my Splunk:
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe
Hi @RenanMarcelino ,
Try below:
blacklist5 = EventCode = "^8004$" Message = "(?i).*\\Adobe\\Acrobat Reader DC\\REader\\acrocef_1\\RdrCEF\.exe"
I hope this helps!!!