Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my WinEventLog blacklist configuration to exclude AccountNames in Windows Security logs from getting indexed?

CaptainHook
Communicator
‎06-15-2016 11:46 AM

I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?

[WinEventLog://Security] 
disabled = 0 
index = "index"
sourcetype = "sourcetype"
blacklist = Account_Name=name1| name2|name3|name4|name5

Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎06-20-2016 05:25 AM

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that Account_Name isn't a valid key to match on in the blacklist. Check the list of valid Keys (the Account_Name part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that Account_Name is not an option. Don't forget regex to match anything before/after the value of the Account_Name - I can support you on that if unclear but I know you'd like to give it a try on your own first.

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎06-20-2016 05:25 AM

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that Account_Name isn't a valid key to match on in the blacklist. Check the list of valid Keys (the Account_Name part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that Account_Name is not an option. Don't forget regex to match anything before/after the value of the Account_Name - I can support you on that if unclear but I know you'd like to give it a try on your own first.
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-22-2016 05:12 AM

Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.

0 Karma
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-22-2016 08:33 AM

I believe that I may have captured the events with this:

Windows platform specific input processor.

[WinEventLog://Security]
disabled = 0
index = certification
blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"

Thank you for all the help. As always, the collaboration is greatly appreciated!!!

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎06-22-2016 01:46 PM

Perfect. That's exactly what I was thinking!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-15-2016 01:22 PM

Try this instead:

 blacklist1 = Account_Name="name1|name2|name3|name4|name5"

Also, I would not change the sourcetype unless absolutely necessary.

Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-15-2016 02:10 PM

Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.

0 Karma
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-16-2016 12:20 PM

Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-16-2016 12:22 PM

You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.

0 Karma
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-16-2016 05:17 PM

I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-16-2016 08:36 PM

Try removing the double-quotes.

0 Karma
Reply
Solved! Jump to solution

CaptainHook
Communicator
‎06-17-2016 05:14 AM

Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...