Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Problem with Blacklisting and wildcards
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with Blacklisting and wildcards
Trying to reduce some of the noise caused by NTLM failures by adding the following to our Windows Event Log stanza for our DC's:
blacklist1 = EventCode="8004" Workstation_name=”SERVERNAME*”
Due to a large server deployment, I'm using a wildcard at the end to filter out 8004 events from a group of servers with a common prefix. I can't get this working, is the wildcard throwing it off?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide your whole stanza and which file it's in?
I know that whitelists and blacklists in inputs.conf stanzas only use regular expressions, not search terms, but I may be I'm in the wrong neighborhood.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is in our inputs.conf file in our deployment app.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="8004" Workstation_name=”SERVERNAME*”
blacklist4 = EventCode="8004" Workstation_name=”OTHERSERVERNAME*”
index = wineventlog
renderXml=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi..
I've not had the opportunity to try to filter a Windows Event Log like that, but I can see the regex in blacklist1 and blacklist2 (the \s+). So, I believe that this file only use regex in blacklists. So, that means the wildcard is being misinterpreted at best.
Is blacklist1 or blacklist2 working? Those are at least closer to what I think should be here -- but even those I think might have issues.
I think you may want to have a look at this:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Specifically, under the section: Keep specific events and discard the rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait... here's the real page you want to look at:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata
Scroll down to Create advanced filters with 'whitelist' and 'blacklist'
Following these syntax, you probably need something like:
blacklist1 = EventCode="8004" Message="Workstation_name:\s+(?!SERVERNAME)"
(note: haven't tested it -- just a guess).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I'm looking into and testing this now. I'll let you know how I make out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how is the event look like? could you provide a sample event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure:
08/26/2019 12:34:20 PM
LogName=Microsoft-Windows-NTLM/Operational
SourceName=Microsoft-Windows-Security-Netlogon
EventCode=8004
EventType=4
Type=Information
ComputerName=#######
User=NOT_TRANSLATED
Sid=#####
SidType=0
TaskCategory=Auditing NTLM
OpCode=Info
RecordNumber=#####
Keywords=None
Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: ########
User name: ##########
Domain name: NULL
Workstation name: #########
Secure Channel type: 2
Audit NTLM authentication requests within the domain NULL that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.
If you want to allow NTLM authentication requests in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.
If you want to allow NTLM authentication requests to specific servers in the domain NULL, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain NULL to which clients are allowed to use NTLM authentication.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
