Getting Data In
Highlighted

How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Engager

Hello there,

I'm currently trying to whilelist incoming Windows events by EventCode, but it doesn't actually filter the events. I've searched through various documentations, but can't seem to find the right settings.

Here's what I did:
in Splunk\etc\system\local\inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs. (I also tried whitelist = 4663 )
whitelist1 = EventCode=4663
# exclude these event IDs from being indexed.
# blacklist = 

I'm still a bit confused about which inputs.conf is for what (if anyone has a good documentation for that...)
Did I chose the right one? I tried restarting Splunk, but it's still indexing the wrong events.

What am I missing?

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Legend

Hi elindemann,
the best documentation you can find is at https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf.
If your filter doesn't run verify the regex you used in your whitelist.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Engager

Hello Guiseppe,

thanks for the reply.

From the documentation:

# Event Log filtering
#
# Filtering at the input layer is desirable to reduce the total
# processing load in network transfer and computation on the Splunk
# nodes that acquire and processing Event Log data.

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

[...]

* These settings are optional.
* Both numbered and unnumbered whitelists and blacklists support two formats:
  * A comma-separated list of event IDs.
  * A list of key=regular expression pairs.
  * You cannot combine these formats. You can use either format on a specific
    line.

so I adjusted my inputs.conf to

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
# whitelist = EventCode="4663"
whitelist = 4663
# exclude these event IDs from being indexed.
#blacklist = 2001-3000

but still with the same result. It can't be the regex because I actually don't want to mess with it when I can just take the super easy approach.

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Legend

Hi elindemann,
I don't think that it's correct whitelist = 4663 but it should be better whitelist = EventCode=4663 or whitelist = EventCode\=4663.
In https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf there is an example whitelist = EventCode=%^200$%
I usually don't filter events in Universal Forwarder but only on the Indexers.

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Engager

Hello Guiseppe,

I tried whitelist = EventCode\=4663 and whitelist = EventCode=%^4663$% but both didn't work.

My problem is that I want to get that one EventCode, but it's generated with a lot of other noise around it that I don't want indexed, mostly because it would hit the liscense pretty hard without any good reason.

Do you know any other way that would be possible?

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Legend

Hi elindemann,
It's possible and I did it, but I used a different approach: I filtered events on the indexers, I didn't use whitelist.
I know that this solves only the Splunk license problem and don't eliminate network traffic but gives me more control on the filter.
bye.
Giuseppe

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Engager

Hi Guiseppe,

can you tell me how you did it?
I'm not that concerned about network traffic.
Just to be clear, I'm not using forwarders or any fancy setups. All I have is the Splunk server on one machine and the file server on another. The Splunk server is getting the events by itself and I want not all these events filtered.

maybe my first approach wasn't the right one?

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Legend

I think that you should use a Universal Forwarder on the file server, in this way file transfer between file server and Splunk server is optimized in very many ways (compression, cache, bandwidth, etc...
Every way, to filter events (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad) you have to edit:
props.conf

[your_sourcetype]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX = EventCode\=4663
DEST_KEY = queue
FORMAT = nullQueue

and restart Splunk

Bye.
Giuseppe

0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Legend

Try the following:

whitelist=EventCode="^4663$"



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to edit inputs.conf in order to whitelist incoming Windows events by EventCode?

Engager

hi niketnilay,

this doesn't seem to work for me.

0 Karma