Solved: Trouble Blacklisting Event Codes

kymenope · ‎04-26-2024

My inputs.conf from the deployment server (confirmed that it is being pushed to all hosts correctly):

{WinEventLog://Security}

index = wineventlog

sourcetype = WinEventLog:Security

disabled = 0

whitelist = EventCode="0-6000"

blacklist = EventCode="1,2,3,4,"

Substituted other values for the blacklisted ones. Despite being explicitly disallowed all host forwarders are still collecting and forwarding these events to the indexer. Am I misconfiguring this?

PickleRick · ‎04-26-2024

Yes, you are.

white/blacklist has two options.

1. You explicitly list (dis)allowed event codes

blacklist1=17,234,4762-4767

2. You specify key=regex to match (caveat - doesn't work with xml rendered events; in this case you need another setting)

blacklist1 = EventCode=%47..%

You tried to use the second option to do the first one.

View solution in original post

PickleRick · ‎04-26-2024

Yes, you are.

white/blacklist has two options.

1. You explicitly list (dis)allowed event codes

blacklist1=17,234,4762-4767

2. You specify key=regex to match (caveat - doesn't work with xml rendered events; in this case you need another setting)

blacklist1 = EventCode=%47..%

You tried to use the second option to do the first one.

marnall · ‎04-26-2024

Try setting it like this:

[WinEventLog://Security]
index = wineventlog
sourcetype = WinEventLog:Security
disabled = 0
whitelist = 0-6000
blacklist = 1,2,3,4

Trouble Blacklisting Event Codes

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?