Getting Data In

Multiple blacklist from different inputs

cboillot
Contributor

We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively.

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)

blacklist = 4634,4907

What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?

Or would it be better if I just made a copy of the Windows Add-on for those servers?

0 Karma

woodcock
Esteemed Legend

Yes, have 2 apps, with different names and have one with blacklist1 and blacklist2, the other with blacklist9 (or blacklist3; both should work). Deploy one, the other or both, and it will do what you expect/need.

0 Karma

ivanreis
Builder

you have an option to group the eventcode when there are having the same message pattern.

blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"

Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...