Whats the best way to blacklist a Windows event co...

mrtolu6 · ‎11-22-2016

I have over 300 Universal forwarders and I'm getting several eventcode=5156 events errors. Is there a way to blacklist this event on a heavy forwarder? If not, what would be the best approach for blacklisting this event code?

gcusello · ‎11-22-2016

Hi mrtolu6,
the best way is to insert the blacklisted value in your TA distributed to all the Universal Forwarders

blacklist = EventCode\=5156

(see https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf)

Otherwise you could filter these events in your Heavy Forwarder:

props.conf

 [your_sourcetype]
 TRANSFORMS-set-remove_headers=set_OK,set_nullqueue

transforms.conf

 [set_nullqueue]
 REGEX=EventCode\=5156
 DEST_KEY=queue
 FORMAT=nullQueue

 [set_OK]
 REGEX=.
 DEST_KEY = queue
 FORMAT = indexQueue

Bye.
Giuseppe

mrtolu6 · ‎11-22-2016

Thanks Giuseppe for your response. I tried to do it on the heavy fwd but it did not work. Please see below to see what i inserted in the props.conf and transforms.conf file.

props.conf

[WinEventLog:Security]
TRANSFORMS-set-remove_headers=set_OK,set_nullqueue

transforms.conf

[set_nullqueue]
REGEX=EventCode=5156
DEST_KEY=queue
FORMAT=nullQueue

[set_OK]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

mrtolu6 · ‎11-22-2016

please disregard, it did work. Thanks for your help.

ppablo · ‎11-22-2016

Hi @mrtolu6

Glad you found a working solution through @cusello. Please don't forget to resolve the post by clicking "Accept" directly below his answer, and upvote his answer for helping you out.

Patrick

Whats the best way to blacklist a Windows event code?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023