Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When filtering Windows event logs, can you filter on fields other than EventCode, such as Account_Name?

kftaylor
Observer
‎10-07-2015 11:44 AM

Taken from inputs.conf on the deployment server:

blacklist1 = EventCode="4662" 
blacklist2 = EventCode="566"
blacklist3 = EventCode="4776"
blacklist4 = EventCode="4768"
blacklist5 = EventCode="4769"
blacklist6 = EventCode="5156"
blacklist7 = EventCode="4658"
blacklist8 = EventCode="4656"
blacklist9 = Account_Name="SERVICE-ACCOUNT-NAME"

The above blacklist works perfect for all EventCodes noted, but I am trying to blacklist activity (specifically high volumes of login events) for particular service accounts.

Is this possible?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-07-2015 07:31 PM

I've used many of the items documented here. Though the whole document is a fabulously interesting and useful read, the parts I'd like to point out specifically are as follows.

In the section "Event log monitor configuration values" you'll find a description of the various ways to use blacklist/whitelist. In your case, nearly all of those events should be able to be combined into one "easy" syntax line.
blacklist1 = 566,4656,4658,4662,4768,4769,4776,5156

EXCEPT, you won't be able to do that because you want to use the advanced filters as described in the section "Create advanced filters with 'whitelist' and 'blacklist'". You can't mix the easy and the advanced ones together, not even as separate lines - one stanza can only have one type in it.

But that's OK because we can rewrite your new and improved blacklist1 above into regex style, and combine them all. You just have to know where to find it in the docs (search for "Event ID list format")!

Tell you what, I'll just paste in a stanza I have. I think you can figure it out from there.

[WinEventLog://Security]
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode=%^(4658|4663|5145|5156|5157)$%

Obviously, my blacklist3 line would be trivially adaptable to your new and extra-improved blacklist1 line. Just replace the numbers with your own (You'll even notice I blacklist a lot of the events you want to blacklist. Great minds think alike, eh?)

Once you have that, you can fiddle around with a blacklist2 line using the two keys that may be of use: ComputerName and User.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...