I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?
[WinEventLog://Security]
disabled = 0
index = "index"
sourcetype = "sourcetype"
blacklist = Account_Name=name1| name2|name3|name4|name5
Thank you in advance.
I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:
I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:
Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.
I believe that I may have captured the events with this:
[WinEventLog://Security]
disabled = 0
index = certification
blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"
Thank you for all the help. As always, the collaboration is greatly appreciated!!!
Perfect. That's exactly what I was thinking!
Try this instead:
blacklist1 = Account_Name="name1|name2|name3|name4|name5"
Also, I would not change the sourcetype
unless absolutely necessary.
Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.
Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution?
You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.
I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.
Try removing the double-quotes.
Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?