Getting Data In

Problem with Blacklisting and wildcards

asofo
Path Finder

Trying to reduce some of the noise caused by NTLM failures by adding the following to our Windows Event Log stanza for our DC's:

blacklist1 = EventCode="8004" Workstation_name=”SERVERNAME*”

Due to a large server deployment, I'm using a wildcard at the end to filter out 8004 events from a group of servers with a common prefix. I can't get this working, is the wildcard throwing it off?

Tags (1)
0 Karma

memarshall63
Communicator

Can you provide your whole stanza and which file it's in?

I know that whitelists and blacklists in inputs.conf stanzas only use regular expressions, not search terms, but I may be I'm in the wrong neighborhood.

0 Karma

asofo
Path Finder

This is in our inputs.conf file in our deployment app.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="8004" Workstation_name=”SERVERNAME*”
blacklist4 = EventCode="8004" Workstation_name=”OTHERSERVERNAME*”
index = wineventlog
renderXml=false

0 Karma

memarshall63
Communicator

Hi..

I've not had the opportunity to try to filter a Windows Event Log like that, but I can see the regex in blacklist1 and blacklist2 (the \s+). So, I believe that this file only use regex in blacklists. So, that means the wildcard is being misinterpreted at best.

Is blacklist1 or blacklist2 working? Those are at least closer to what I think should be here -- but even those I think might have issues.

I think you may want to have a look at this:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Specifically, under the section: Keep specific events and discard the rest

0 Karma

memarshall63
Communicator

Wait... here's the real page you want to look at:

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata

Scroll down to Create advanced filters with 'whitelist' and 'blacklist'

Following these syntax, you probably need something like:
blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"

(note: haven't tested it -- just a guess).

0 Karma

asofo
Path Finder

Thanks! I'm looking into and testing this now. I'll let you know how I make out.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

how is the event look like? could you provide a sample event?

0 Karma

asofo
Path Finder

Sure:

08/26/2019 12:34:20 PM
LogName=Microsoft-Windows-NTLM/Operational
SourceName=Microsoft-Windows-Security-Netlogon
EventCode=8004
EventType=4
Type=Information
ComputerName=#######
User=NOT_TRANSLATED
Sid=#####
SidType=0
TaskCategory=Auditing NTLM
OpCode=Info
RecordNumber=#####
Keywords=None
Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: ########
User name: ##########
Domain name: NULL
Workstation name: #########
Secure Channel type: 2

Audit NTLM authentication requests within the domain NULL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain NULL to which clients are allowed to use NTLM authentication.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!