Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mupltiple whitelist in inputs.conf

marco_massari11
Communicator
‎05-03-2024 05:56 AM

Hello,

I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this:

###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = windows_tmp
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*))
renderXml=false
 
 
I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?
 
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-05-2024 07:54 AM

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-05-2024 07:54 AM

As @richgalloway already pointed out - the format is wrong. You need the key=regex format. And you need to split it into separate whitelist entries (each entry can have multiple key=regex parameters).

The trick here is that Account Name is not a field within the event but a field in the Message field of the event. So you need to match it as a regex within the Message field.

So you'd effectively end up with something like

whitelist1 = EventCode=%(4624|4634|4625)% Message=%Account Name:.*\.adm%
whitelist2 = EventCode=%(4659|4663|5145)% Message=%Object Name:.*Test_share%
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-06-2024 01:56 AM

Hi @marco_massari11 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2024 09:26 AM

The whitelist value must be a list of event IDs or one or more key=regex expressions.  The current value is just a regular expression, which is not supported.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-03-2024 10:31 AM

Hello @richgalloway ,

have you any possible solution?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2024 05:10 AM

I don't really have a solution.  I was going to suggest multiple white lists, but you said that didn't work for you.

Also, you want to filter on AccountName and ObjectName, but those fields are not supported by whitelist/blacklist.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...for the list of supported fields.

Consider ingesting the Windows events in XML format and filtering them using the $XmlRegex key.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata#Use_allow_l... for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-03-2024 06:37 AM

Hi @marco_massari11,

at a first sight the regex isn't correct, what does it happen if you try to use it in search using the regex command?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎05-03-2024 07:48 AM

Hello @gcusello ,

you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution?

Regards,

Marco

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-03-2024 07:54 AM

Hi @marco_massari11 ,

identify the three regexes and collect them using .*

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...