Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Prevent ingestion of "NT AUTHORITY\SYSTEM" EventCode 4663

sswigart
Explorer
‎07-17-2024 06:40 AM

I am exceeding my 5GB license. I have determine the problem by doing a 24 hour search using the following:

index="winlogs" host=filesvr souce="WinEventLog:Security" EventCode=4663 Accesses="ReadData (or ListDirectory) Security_ID="NT AUTHORITY\SYSTEM"

The above search returns 4.5 million plus records.

My question is how do I stop Splunk from ingesting     Security_ID="NT AUTHORITY\SYSTEM" of EventCode 4663?

Would appreciate any assistance\suggestions given.

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2024 11:12 PM

Hi @sswigart ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Inputsconf#Event_Log_filtering,

if the logs you indicated aren't relevant for your searches, you can follow the instructons in the above link, adding a blacklist to your inputs.conf in the WinEventLog:Security stanza.

Only one attention point: in the blacklist you must use a regex, not a string to search.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-18-2024 05:48 AM

Actually, you can blacklist by eventcodes or by regex. (and with a caveat that if you use renderXml=true, you have to specify blacklist differently).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...