Trying to reduce some of the noise caused by NTLM failures by adding the following to our Windows Event Log stanza for our DC's:
blacklist1 = EventCode="8004" Workstation_name=”SERVERNAME*”
Due to a large server deployment, I'm using a wildcard at the end to filter out 8004 events from a group of servers with a common prefix. I can't get this working, is the wildcard throwing it off?
Can you provide your whole stanza and which file it's in?
I know that whitelists and blacklists in inputs.conf stanzas only use regular expressions, not search terms, but I may be I'm in the wrong neighborhood.
This is in our inputs.conf file in our deployment app.
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="8004" Workstation_name=”SERVERNAME*”
blacklist4 = EventCode="8004" Workstation_name=”OTHERSERVERNAME*”
index = wineventlog
I've not had the opportunity to try to filter a Windows Event Log like that, but I can see the regex in blacklist1 and blacklist2 (the \s+). So, I believe that this file only use regex in blacklists. So, that means the wildcard is being misinterpreted at best.
Is blacklist1 or blacklist2 working? Those are at least closer to what I think should be here -- but even those I think might have issues.
I think you may want to have a look at this:
Specifically, under the section: Keep specific events and discard the rest
Wait... here's the real page you want to look at:
Scroll down to Create advanced filters with 'whitelist' and 'blacklist'
Following these syntax, you probably need something like:
blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"
(note: haven't tested it -- just a guess).
08/26/2019 12:34:20 PM
Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: ########
User name: ##########
Domain name: NULL
Workstation name: #########
Secure Channel type: 2
Audit NTLM authentication requests within the domain NULL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.
If you want to allow NTLM authentication requests in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.
If you want to allow NTLM authentication requests to specific servers in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain NULL to which clients are allowed to use NTLM authentication.