Getting Data In

Using Windows Powershell, how do I modify inputs.conf to only capture specific EventIDs?

adayton20
Contributor

Hello,

I am trying to only capture EventIDs 400 and 800 inside the Windows PowerShell log (not the PowerShell Operational) found at

%SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx

I added the stanza below, which began generating logs, but for some reason I'm not receiving one of the EventIDs (800) I specified in the whitelist, and getting other EventIDs I didn't specify.

##### Windows PowerShell (Administrative) #####
[WinEventLog://Windows PowerShell]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 800,400
blacklist1 = EventID="400" Message="*foo.ps1*" Message="*PartialPathName*" user="*SomeUser*"
blacklist2 = EventID="800" Message="*foo.ps1*" Message="*PartialPathName*" user="*SomeUser*"
index=wineventlog

I am receiving 400, 403, and 600, but not 800. Based on my whitelist, shouldn't I not be receiving 403 and 600?

The stanza was added to /deployment-apps/Splunk_TA_windows/local/inputs.conf

I followed instructions per Splunk Docs "Monitor Windows Data" to set up the stanza.

The blacklists I applied are to filter out a specific powershell script in a path ran by a unique user. I thought initially that may have been the problem, but I ran a few test ps1s to generate events and verified I am receiving EventID 400, and that foo.ps1 is filtered out for the specific path and user, so I do not think it has anything to do with the my blacklists.

I thought another app might be taking precedence. I read through Splunk docs "Configuration File Precedence", and based on the precedence given, couldn't find any app interfering.

Any thoughts?

0 Karma
1 Solution

adayton20
Contributor

Well, it turns out there was another app interfering, but it was named something goofy. One of our admins, now on vacation, decided to make a test windows app called 0test_win, which I discovered was taking precedence over everything in the Splunk_TA_Windows app. I also found a corresponding entry in the serverclass.conf. After examining the contents of the app to ensure it wasn’t going to break anything, I renamed the app “ztest_win” so it would move to the bottom of the app list. After restarting the deployment server, the stanza in my original post worked like a charm. I am now only receiving EventIDs 400 and 800 for that sourcetype.

View solution in original post

adayton20
Contributor

Well, it turns out there was another app interfering, but it was named something goofy. One of our admins, now on vacation, decided to make a test windows app called 0test_win, which I discovered was taking precedence over everything in the Splunk_TA_Windows app. I also found a corresponding entry in the serverclass.conf. After examining the contents of the app to ensure it wasn’t going to break anything, I renamed the app “ztest_win” so it would move to the bottom of the app list. After restarting the deployment server, the stanza in my original post worked like a charm. I am now only receiving EventIDs 400 and 800 for that sourcetype.

bmacias84
Champion

file precedence will get you every time.

0 Karma

bmacias84
Champion

You need to use transfroms.conf on your heavy forwarders or indexer to send the events to NULL.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad

0 Karma

adayton20
Contributor

I appreciate the prompt response. That answers part of my question about filtering, however, I am still trying to figure out why I am not receiving Event ID 800.

Just to highlight:

I am not receiving Event ID 800 at all and trying to figure out why. After adding the stanza I mentioned above, I started receiving EventIDs 400, 403, and 600. Why is it that I am getting everything from that log except one EventID?

In our architecture, we filter events from WinEventLog directly at the forwarder level.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...