We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively.
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)
blacklist = 4634,4907
What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?
Or would it be better if I just made a copy of the Windows Add-on for those servers?
Yes, have 2 apps, with different names and have one with blacklist1
and blacklist2
, the other with blacklist9
(or blacklist3
; both should work). Deploy one, the other or both, and it will do what you expect/need.
you have an option to group the eventcode when there are having the same message pattern.
blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"
Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147
you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist