Getting Data In
Highlighted

How to create inputs.conf blacklist with BOOLEAN

Path Finder

Hi there,

I want to create a blacklist in the universal forwarder or in my heavy forwarder with the following conditions:

1)EventCode=4688
2)splunk*.exe

so I want the regex to be something like EventCode=4688 AND splunk*.
I tried many different combinations like this one:

(?:.*\n){1,}EventCode=4688(?:.*\n){1,}.*splunk-.*\.exe(?:.*\n){1,}(?:.*\n)

The above regex matches the event but it's not working in the transforms.conf or inputs.conf.

This is how the event looks like:

##########
10/03/2019 03:33:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=Win1-New
TaskCategory=Process Creation
OpCode=Info
RecordNumber=2926293
Keywords=Audit Success
Message=A new process has been created.

Subject:
Security ID: S-1-1-12
Account Name: WIN$1
Account Domain: LOCALGROUP
Logon ID: 0x3e7

Process Information:
New Process ID: 0x143c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x1504
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Any ideas how should I proceed?

Thanks.

0 Karma
Highlighted

Re: How to create inputs.conf blacklist with BOOLEAN

SplunkTrust
SplunkTrust

Blacklists for Windows events are not free-form regex. You can use a list of event codes, which won't work for you, or a number key=regex pairs. The latter probably is what you want. Pairs are automatically ANDed. Unfortunately, the key portion of the blacklist is limited to certain fields and ProcessCommandLine is not one of them.

See https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to create inputs.conf blacklist with BOOLEAN

Path Finder

Appreciate your response @richgalloway

I thought it deals with the raw data.
I see that it only works on Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User.

The keyword that I wanted to AND with was "splunk-" and I used the Message field.
I could make it work, thanks so much.

Could you please tell me what format should I use if I want to drop them in transforms.conf?
I tried a few regexes that again worked in regex editors but splunk ignored it.

0 Karma
Highlighted

Re: How to create inputs.conf blacklist with BOOLEAN

SplunkTrust
SplunkTrust

I don't understand the new question. You have it working, right?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to create inputs.conf blacklist with BOOLEAN

Path Finder

Yes, I do. I could make it work by creating a blacklist in inputs.conf

The question was, how can I filter such events in transforms.conf.
How can I AND things in the (REGEX = ) field.
Because my regex matches the multiline logs but Splunk is not dropping them.

props.conf
[source::WinEventLog:Security]
TRANSFORMS-null = drop1

transforms.conf
[drop1]
REGEX = (EventCode=4688)(?:.\n){1,}(New Process Name:\s+.splunk-.*exe)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Highlighted

Re: How to create inputs.conf blacklist with BOOLEAN

SplunkTrust
SplunkTrust

I don't know that.

---
If this reply helps you, an upvote would be appreciated.
0 Karma