Getting Data In

When filtering Windows event logs, can you filter on fields other than EventCode, such as Account_Name?

kftaylor
Observer

Taken from inputs.conf on the deployment server:

blacklist1 = EventCode="4662" 
blacklist2 = EventCode="566"
blacklist3 = EventCode="4776"
blacklist4 = EventCode="4768"
blacklist5 = EventCode="4769"
blacklist6 = EventCode="5156"
blacklist7 = EventCode="4658"
blacklist8 = EventCode="4656"
blacklist9 = Account_Name="SERVICE-ACCOUNT-NAME"

The above blacklist works perfect for all EventCodes noted, but I am trying to blacklist activity (specifically high volumes of login events) for particular service accounts.

Is this possible?

0 Karma

Richfez
SplunkTrust
SplunkTrust

I've used many of the items documented here. Though the whole document is a fabulously interesting and useful read, the parts I'd like to point out specifically are as follows.

In the section "Event log monitor configuration values" you'll find a description of the various ways to use blacklist/whitelist. In your case, nearly all of those events should be able to be combined into one "easy" syntax line.
blacklist1 = 566,4656,4658,4662,4768,4769,4776,5156

EXCEPT, you won't be able to do that because you want to use the advanced filters as described in the section "Create advanced filters with 'whitelist' and 'blacklist'". You can't mix the easy and the advanced ones together, not even as separate lines - one stanza can only have one type in it.

But that's OK because we can rewrite your new and improved blacklist1 above into regex style, and combine them all. You just have to know where to find it in the docs (search for "Event ID list format")!

Tell you what, I'll just paste in a stanza I have. I think you can figure it out from there.

[WinEventLog://Security]
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode=%^(4658|4663|5145|5156|5157)$%

Obviously, my blacklist3 line would be trivially adaptable to your new and extra-improved blacklist1 line. Just replace the numbers with your own (You'll even notice I blacklist a lot of the events you want to blacklist. Great minds think alike, eh?)

Once you have that, you can fiddle around with a blacklist2 line using the two keys that may be of use: ComputerName and User.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...