Getting Data In
Highlighted

Is there a limit to the number of whitelist/blacklist configurations for security event ID filtering?

Explorer

We are trying to configure event ID filtration for security events, but even after using the below configuration, there are few events which are present in blacklist that are getting generated in Splunk./ Please point out if I am missing something in my inputs.conf file.
Is there any limitation in creating number of blacklist ?
Do blacklist group have limitation of number event id in one black list group?

[default]
host = NLCIM007

[WinEventLog://Security]
disabled = 0
startfrom = oldest
current
only = 0
evtresolveadobj = 1
checkpointInterval = 5
suppress
text = o
whiltelist1 =4649,5378,5632,5633,4868,4869,4870,4871,4872,4873,4882,5145,5140,5142,5143,5144,4698,4699,4700,4701,
whiltelist2 =4705,4706,4707,4714,4911,4913,4950,4608,4609,4616,4621,4618,4816,5060,4777,4771,4790,4742,4743,4744,
whiltelist3 =4754,4755,4756,4757,4758,4764,4720,4722,4723,4725,4726,4738,4740,4767,4780,5712,4662,5136,5137,5138,5139,5141,4625
blacklist1 =4774,4775,4776,4768,4772,4769,4770,4783,4784,4785,4648,4786,4787,4788,4789,4782,4793,4724,4765,4766,4781,
blacklist2 =5453,4654,4977,5451,5452,4634,4647,4626,6272,6273,6274,6275,6276,6277,6278,6279,6280,4778,4779,4800,
blacklist3 =5152,5153,4656,4658,4690,4671,4691,5149,5888,5889,5890,5039,4709,4710,4711,4712,5040
blacklist4 =4664,4985,5051,5031,5150,5151,5154,5155,5156,5157,5158,5159,4659,4660,4661,4663
blacklist5 =5041,5042,5043,5044,5045,5046,5047,5048,5440,5441,5442,5443,5444,5446,5448,5449,5450,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5471,5472,5473,5474,5477,4944,4945,4946,4947,5062,6281
blacklist6 =4801,4802,4803,4964,4665,4666,4667,4668,4818,4874,4875,4876,4877,4878,4879,4880,4881,4883,4884,4885,4886,4887,4888,4889,4890,4891,4892,4893,4894,4895,4896,4897,4898,5168,4948,4949,4950,4951,4952,4953,4954,4956,4957,4958,4819,4909,4910,5063,5064,5065,5066,5067,6402,6403,6404,6405,6406,6407,6408,4610,4611,4614,4622,4697,4612,4615,5038,5056,5057,5061
blacklist7 =4794,5376,5377,4692,4693,4694,4695,4688,4696,4928,4929,4930,4931,4934,4935,4936,4937,4932,4933,4978,4979,4980,4981,4982,4983,4984,4646,4650,4651,4652,4653,4655,4976,5049,5068,5069,5070,5447,6144,6145,4670,4672,4673,4674,4960,4961,4962,4963,4965,5478,5479,5480,5483,5484,5485,5024,5025,5027,5028,5029,5030,5032,5033,5034,5035,5037,5058,5059,6400,6401
blacklist8 =4702,5148,4657,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4713,4716,4717,4718,4739,4864,4865,4866,4867,4704
blacklist9 =4745,4746,4747,4748,4749,4750,4751,4752,4753,4759,4760,4761,4762,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

Highlighted

Re: Is there a limit to the number of whitelist/blacklist configurations for security event ID filtering?

Path Finder

Hi

There is no limit in filtering.
We had similar issue.
You could combine all the whitelists and blacklists to improve readability.
Have a single whitelist and blacklist.
We resolved this by completing the ranges in the blacklist, so what ever is missing in the range in whitelist should be listed in blacklist.

A simple example

In the below we have included 5100-5102 in whitelist followed by 5104
So 5103 should be included in blacklist.
Also use ranges say 5100-5200 instead of adding them individually.

whitelist = 5100-5102,5104-5105,5108,xxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx
blacklist = 5103,5106 -5107,zzzz,zzzz,zzzz,zzzz,zzzz

Please accept the answer if this solves your issue.

0 Karma
Highlighted

Re: Is there a limit to the number of whitelist/blacklist configurations for security event ID filtering?

Explorer

Old question, but still I found it searching for workarounds. Actually there is a limit on UF's, 10 blacklist entries per stanza within inputs.conf. I've hit the limit and for some reason my regex searches cant be combined. Namely those constructed like blacklist = Message="myregex"

E.g. Blacklist1 = Message ="myregex"|EventCode="eventcode#" Message="Myotherregex" | etc does not parse. Only on separate lines do they work. It's this reason I've hit the limit.

0 Karma
Highlighted

Re: Is there a limit to the number of whitelist/blacklist configurations for security event ID filtering?

Explorer

Anticipating a 'did you try?', I also tried enclosing in these ()

e.g. Blacklist1 = (Message ="myregex"|EventCode="eventcode#" Message="Myotherregex")

No joy

0 Karma