Getting Data In

How to edit my WinEventLog blacklist configuration to exclude AccountNames in Windows Security logs from getting indexed?

Communicator

I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?

[WinEventLog://Security] 
disabled = 0 
index = "index"
sourcetype = "sourcetype"
blacklist = Account_Name=name1| name2|name3|name4|name5

Thank you in advance.

0 Karma
1 Solution

Ultra Champion

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that AccountName isn't a valid key to match on in the blacklist. Check the list of valid Keys (the AccountName part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that AccountName is not an option. Don't forget regex to match anything before/after the value of the AccountName - I can support you on that if unclear but I know you'd like to give it a try on your own first.

View solution in original post

Ultra Champion

I'm reading the inputs.conf and referenced Windows docs now. A couple thoughts crossed my mind:

  1. Did you try blacklisting a single name? This would be a base case to make sure that if you can get at least one blocked, then the problem is the syntax with blocking multiple. If we can't event get one, then we know the issue is before the multi-value syntax.
  2. The inputs.conf docs imply that AccountName isn't a valid key to match on in the blacklist. Check the list of valid Keys (the AccountName part of your syntax) by searching for the table labelled "Create advanced filters with 'whitelist' and 'blacklist'" on http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata . You might want to explore the 'User' or the 'Message' fields if you agree that AccountName is not an option. Don't forget regex to match anything before/after the value of the AccountName - I can support you on that if unclear but I know you'd like to give it a try on your own first.

View solution in original post

Communicator

Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.

0 Karma

Communicator

I believe that I may have captured the events with this:

Windows platform specific input processor.

[WinEventLog://Security]
disabled = 0
index = certification
blacklist= Message="Account\sName:\s+(srvHPOM|SYSTEM|(\w+\$))"

Thank you for all the help. As always, the collaboration is greatly appreciated!!!

0 Karma

Ultra Champion

Perfect. That's exactly what I was thinking!

0 Karma

Esteemed Legend

Try this instead:

 blacklist1 = Account_Name="name1|name2|name3|name4|name5"

Also, I would not change the sourcetype unless absolutely necessary.

Communicator

Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.

0 Karma

Communicator

Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution?

0 Karma

Esteemed Legend

You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.

0 Karma

Communicator

I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.

0 Karma

Esteemed Legend

Try removing the double-quotes.

0 Karma

Communicator

Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?

0 Karma