- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Universal Forwarder Blacklist: By event code, ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey All,
I am looking to add a blacklist entry to our inputs for our Windows UF's that would blacklist based on the event code, a process name (with wildcard path), and a specific account name.
Would it be as simple as?:
blacklist = EventCode="4674" User="user" Process_Name="*\blah.exe"
Or would I need a regex with user and process name trying to match on the message field?
Ive written some with Event Code and Process Name but never specific enough with a user.
Thanks!
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using this and it worked....for the most part lol. We still have some events matching this blacklist coming in but we saw a reduction from 76mil events to right over 2mil events.
blacklist7 = EventCode="4674" Message=".*[\S\s]*Account\sName:\s:.+ACCOUNT.+Process\sName:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using this and it worked....for the most part lol. We still have some events matching this blacklist coming in but we saw a reduction from 76mil events to right over 2mil events.
blacklist7 = EventCode="4674" Message=".*[\S\s]*Account\sName:\s:.+ACCOUNT.+Process\sName:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is copied directly from the latest Splunk_TA_windows default inputs.conf
[WinEventLog://Security]
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist1 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
Hope that helps. The only thing I can think of for your example is to remove the capturing groups since they aren't doing anything as far as I can tell. I'm also assuming you have blacklist1 through blacklist6 defined sequentially.
Either:
blacklist7 = EventCode="4674" Message="Account Name:.+ACCOUNT.+Process Name:.+\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe.+\\Windows\\System32\\wbem\\WmiPrvSE.exe"
or
blacklist7 = EventCode="4674" Message="(?:Account Name:.+ACCOUNT|Process Name:|\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe|\\Windows\\System32\\wbem\\WmiPrvSE.exe)"
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help Jacob but there are some issues with your regex statements.
Yes I have my blacklists setup sequentially in the inputs.conf. I was also using examples from the Splunk_TA_windows inputs.conf.
The first one says it should be both processes which it technically should be one of the two.
Your second one puts an OR in between the account name and the process name which wouldn't work either.
I just tried the below without capture groups:
blacklist7 = EventCode="4674" Message="Account Name:.+slwprdadmin.+Process Name:.+\Windows\SysWOW64\wbem\WmiPrvSE.exe|.+\Windows\System32\wbem\WmiPrvSE.exe"
Still doesn't work
I have these other blacklists that work fine so this doesn't make any sense to me.
blacklist5 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:SplunkUniversalForwarder\bin\btool.exe)|.+(?:Splunk\bin\splunk.exe)|.+(?:Splunk\bin\splunkd.exe)|.+(?:Splunk\bin\btool.exe)|.+(?:Agent\MonitoringHost.exe)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Opened a ticket with support as I am unsure why I can't get this to work. The first regex they suggested which also matched in a regex editor didn't work either. Still searching for a solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or should it look like this?
EventCode="4674" Message="(?:Account\sName:\s+ACCOUNTNAME).+(?:Process\sName:\s+?:\wbem\WmiPrvSE.exe)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This by all knowledge appears it should work but it doesnt. Any ideas?
blacklist7 = EventCode="4674" Message="(?:Account Name:.+ACCOUNT).+(?:Process Name:).+(?:\Windows\SysWOW64\wbem\WmiPrvSE.exe)|.+(?:\Windows\System32\wbem\WmiPrvSE.exe)"
This matches most of the message in 2 regex tools.
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
