I am trying to remove generic service account names from the Windows Security log, so that we can focus on indexing only the specific user accounts. Am I missing something in my inputs.conf?
[WinEventLog://Security] disabled = 0 index = "index" sourcetype = "sourcetype" blacklist = Account_Name=name1| name2|name3|name4|name5
Thank you in advance.
Try this instead:
blacklist1 = Account_Name="name1|name2|name3|name4|name5"
Also, I would not change the
sourcetype unless absolutely necessary.
Thank you, I will try this shortly. I appreciate that advice on the sourcetype also. I will respond back as soon as I get the chance to test it out. Cheers.
Unfortunately, this is still not working. Is there more information I can provide to help come up with a solution?
You need to restart the Splunk instance on the forwarder and then only look at events that have been forwarded in AFTER the restart.
I had done a restart on the forwarder itself and did a reload of the deployment server. For some reason it is not omitting all the accounts listed. I have even capture the event name as it shows.
Try removing the double-quotes.
Still no luck. Would it make any sense to remove Account_Name and just blacklist the service accounts generically?
Thanks Burch, I am going to run through this today. I did actually try narrowing it down to one single name initially; the odd thing was that the blacklist seemed to work for a lot of the names using Account_Name. I do agree with you though, that it does not seem to be a valid key to match on. I will try the 'User' and/or 'Message' field. I can always use a little guidance on RegEx 😉 Thanks again.