Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mupltiple whitelist in inputs.conf

marco_massari11
Communicator
‎05-03-2024 05:56 AM

Hello,

I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this:

###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = windows_tmp
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*))
renderXml=false
 
 
I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?
 
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-05-2024 07:54 AM

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-05-2024 07:54 AM

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-06-2024 01:56 AM

Hi @marco_massari11 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2024 09:26 AM

The whitelist value must be a list of event IDs or one or more key=regex expressions.  The current value is just a regular expression, which is not supported.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-03-2024 10:31 AM

Hello @richgalloway ,

have you any possible solution?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2024 05:10 AM

I don't really have a solution.  I was going to suggest multiple white lists, but you said that didn't work for you.

Also, you want to filter on AccountName and ObjectName, but those fields are not supported by whitelist/blacklist.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...for the list of supported fields.

Consider ingesting the Windows events in XML format and filtering them using the $XmlRegex key.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata#Use_allow_l... for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-03-2024 06:37 AM

Hi @marco_massari11,

at a first sight the regex isn't correct, what does it happen if you try to use it in search using the regex command?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-03-2024 07:48 AM

Hello @gcusello ,

you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution?

Regards,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-03-2024 07:54 AM

Hi @marco_massari11 ,

identify the three regexes and collect them using .*

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...