Getting Data In

How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

elindemann
Engager

Hello there,

I'm currently trying to whilelist incoming Windows events by EventCode, but it doesn't actually filter the events. I've searched through various documentations, but can't seem to find the right settings.

Here's what I did:
in Splunk\etc\system\local\inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs. (I also tried whitelist = 4663 )
whitelist1 = EventCode=4663
# exclude these event IDs from being indexed.
# blacklist = 

I'm still a bit confused about which inputs.conf is for what (if anyone has a good documentation for that...)
Did I chose the right one? I tried restarting Splunk, but it's still indexing the wrong events.

What am I missing?

0 Karma

niketn
Legend

Try the following:

whitelist=EventCode="^4663$"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

elindemann
Engager

hi niketnilay,

this doesn't seem to work for me.

0 Karma

niketn
Legend

Currently are you seeing all event codes from Security and not just 4663?

When you disable the WinEventLog://Security does it stop sending the events?

 [WinEventLog://Security]
 disabled = 1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi elindemann,
the best documentation you can find is at https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf.
If your filter doesn't run verify the regex you used in your whitelist.
Bye.
Giuseppe

0 Karma

elindemann
Engager

Hello Guiseppe,

thanks for the reply.

From the documentation:

# Event Log filtering
#
# Filtering at the input layer is desirable to reduce the total
# processing load in network transfer and computation on the Splunk
# nodes that acquire and processing Event Log data.

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

[...]

* These settings are optional.
* Both numbered and unnumbered whitelists and blacklists support two formats:
  * A comma-separated list of event IDs.
  * A list of key=regular expression pairs.
  * You cannot combine these formats. You can use either format on a specific
    line.

so I adjusted my inputs.conf to

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
# whitelist = EventCode="4663"
whitelist = 4663
# exclude these event IDs from being indexed.
#blacklist = 2001-3000

but still with the same result. It can't be the regex because I actually don't want to mess with it when I can just take the super easy approach.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi elindemann,
I don't think that it's correct whitelist = 4663 but it should be better whitelist = EventCode=4663 or whitelist = EventCode\=4663.
In https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf there is an example whitelist = EventCode=%^200$%
I usually don't filter events in Universal Forwarder but only on the Indexers.

0 Karma

elindemann
Engager

Hello Guiseppe,

I tried whitelist = EventCode\=4663 and whitelist = EventCode=%^4663$% but both didn't work.

My problem is that I want to get that one EventCode, but it's generated with a lot of other noise around it that I don't want indexed, mostly because it would hit the liscense pretty hard without any good reason.

Do you know any other way that would be possible?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi elindemann,
It's possible and I did it, but I used a different approach: I filtered events on the indexers, I didn't use whitelist.
I know that this solves only the Splunk license problem and don't eliminate network traffic but gives me more control on the filter.
bye.
Giuseppe

0 Karma

elindemann
Engager

Hi Guiseppe,

can you tell me how you did it?
I'm not that concerned about network traffic.
Just to be clear, I'm not using forwarders or any fancy setups. All I have is the Splunk server on one machine and the file server on another. The Splunk server is getting the events by itself and I want not all these events filtered.

maybe my first approach wasn't the right one?

0 Karma

gcusello
SplunkTrust
SplunkTrust

I think that you should use a Universal Forwarder on the file server, in this way file transfer between file server and Splunk server is optimized in very many ways (compression, cache, bandwidth, etc...
Every way, to filter events (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad) you have to edit:
props.conf

[your_sourcetype]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX = EventCode\=4663
DEST_KEY = queue
FORMAT = nullQueue

and restart Splunk

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...