Getting Data In

How to whitelist Windows Event IDs?

lutzmw
Engager

I need assistance with whitelisting as I can’t make it work.  I’m running the free trial version 9.0.0 of Splunk Enterprise. I have 1 Receiver (on a CentOS VM), and some Windows and CentOS systems (VM’s and physical devices) with the Universal Forwarder installed.  I’m getting data in from all my systems.  On the Windows systems I only need to see data from select Windows Security Log Events and would like to exclude all other log data/events.  I’ve read Splunk’s documentation about whitelisting and I guess I just don’t understand what I’m reading.  It doesn’t seem to be working as my license usage hasn’t decreased and/or I don’t know how to verify if it’s working.

I created an inputs.conf file in the following location:  /etc/system/local/ on the Universal Forwarders and its content is:

[WinEventLog://Security]

whitelist=1100,1101,1102,4616,4624,4625,4634,4647,4648,4657,4704,4705,4719,4720,4722,4723,4724,4725,4726,4740,4767,4776,4777,4616

Is this correct?

Do I have to put the statement disabled = 0 or is it implied?

I haven’t configured anything through Splunk web, do I need to do that?

Where do I save the inputs.conf file?  On the Receiver only, on the Universal Forwarders only, or on both?

Do I need to include all the statements from the default inputs.conf file in my new one?

Besides decreased license usage, is there a way to know if my whitelist is working?

Thank you for any and all help.

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lutzmw,

at first I hint to read https://docs.splunk.com/Documentation/Splunk/latest/Data/AboutWindowsdataandSplunk and search on the YouTube Splunk Channel some video that describes how to ingest windows data.

Anyway, at first, don't create any inputs.conf, but download and install both on Splunk Enterprise and Windows clients the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/) that was created just to input and parse windows logs.

You have only to enable (on the Forwarders) the Wineventlog:Security input: you can do this copying inputs.conf from default to local folder and changing (in local inputs.conf) disabled from 1 to 0 in the wineventlog:security stanza, and restart Splunk on forwarders at the end.

In this way, you'll have all wineventlogs correctly indexed and parsed.

Then, if you want to filter wineventlogs:security logs, you can use (in the Forwarder's local inputs.conf) whitelist or blacklist: you have to add a row to indicate the EventCodes to blacklist or whitelist.

For more infos about this see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.

Ciao.

Giuseppe

lutzmw
Engager

Giuseppe,

Thanks for the response.  I haven't had a chance to try your solution but I should be able to try it soon.  At the bottom of the default inputs.conf file there's a section that I don't understand.  It says # default single instance modular input restarts.  Can you explain what this  is?  It also has a [WinEventLog] entry.  Is this where I make the change that's needed or do I place my whitelist further up in the file.  Thanks again

Mike

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lutzmw,

sorry but I download the latest version of this TA and I didn't find the section you mentioned!

could you share it?

Ciao.

Giuseppe

0 Karma

lutzmw
Engager

The section I'm asking about is in the default inputs.conf file.  It's on the last page of the attached pdf.  Thanks for your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lutzmw,

we're speaking of two different things:

I'm speaking of the last Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742/) and its last release is 8.5;

instead you're speaking of the inputs.conf in $SPLUNK_HOME/etc/system/default, in other words the default inputs.conf of Splunk.

This means that your file is the inputs.conf that you find by default in Splunk and the inputs you're speaking  are the modular inputs present by default in Splunk and that you can see in the GUI.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...