Getting Data In

How to edit my WinEventLog blacklist configuration to exclude AccountNames in Windows Security logs from getting indexed?

CaptainHook
Communicator

I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?

[WinEventLog://Security] 
disabled = 0 
index = "index"
sourcetype = "sourcetype"
blacklist = Account_Name=name1| name2|name3|name4|name5

Thank you in advance.

0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that Account_Name isn't a valid key to match on in the blacklist. Check the list of valid Keys (the Account_Name part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that Account_Name is not an option. Don't forget regex to match anything before/after the value of the Account_Name - I can support you on that if unclear but I know you'd like to give it a try on your own first.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that Account_Name isn't a valid key to match on in the blacklist. Check the list of valid Keys (the Account_Name part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that Account_Name is not an option. Don't forget regex to match anything before/after the value of the Account_Name - I can support you on that if unclear but I know you'd like to give it a try on your own first.

CaptainHook
Communicator

Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.

0 Karma

CaptainHook
Communicator

I believe that I may have captured the events with this:

Windows platform specific input processor.

[WinEventLog://Security]
disabled = 0
index = certification
blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"

Thank you for all the help. As always, the collaboration is greatly appreciated!!!

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Perfect. That's exactly what I was thinking!

0 Karma

woodcock
Esteemed Legend

Try this instead:

 blacklist1 = Account_Name="name1|name2|name3|name4|name5"

Also, I would not change the sourcetype unless absolutely necessary.

CaptainHook
Communicator

Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.

0 Karma

CaptainHook
Communicator

Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution?

0 Karma

woodcock
Esteemed Legend

You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.

0 Karma

CaptainHook
Communicator

I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.

0 Karma

woodcock
Esteemed Legend

Try removing the double-quotes.

0 Karma

CaptainHook
Communicator

Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...