Getting Data In

Why are blacklisted 4663 and 4660 events still showing up?

zward
Path Finder

I am hoping someone can help me out with a filtering blacklist issue I am having. I am currently filtering out event codes 4663 and 4660 so that splunk.exe (splunkd.exe, mcshield.exe, and a few other) processes are blacklisted and not sent, as Splunk is recording itself (splunkd.exe) accessing the Splunk directory every single time a file is touched or written (thousands of events per minute).

Every time Splunk receives a file or log, it records and updates the index, which creates more log files with event codes 4663 and 4660. As you can imagine this is a massive amount of data being logged. Event codes 4660 and 4663 are for objects that are accessed. I have applied the blacklists below, however I am still seeing results when I search for the event codes. Below are my blacklists, any idea why these events are still showing up, maybe there is an issue with my blacklist?

blacklist3 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"
blacklist4 = EventCode="4663" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Common Files\\McAfee\\SystemCore\\(?:mcshield).exe)"
blacklist5 = EventCode="4660" Message="Process_Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:splunkd|splunk|locktest|mongod|python|splunk\-(?:optimize|winevtlog))\.exe)"

I did multiple searches and was unable to find an effective blacklist for event codes 4663 and 4660 that are granular enough to exclude splunkd.exe. Also please note full hostname information has been excluded from the screenshot for security reasons.

Thank you for your help.

0 Karma
1 Solution

nickhills
Ultra Champion

Simply:

blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"

Is working in our environment.

edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Simply:

blacklist3 = EventCode="4663" Message="SplunkUniversalForwarder"

Is working in our environment.

edit:
Just to note - we are using the XML log format, however I believe the filtering occurs the same irrespective of the format though I have not tried it!

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @zward,

Can you please provide one sample event for EventCode=4663 and 4660 ?

0 Karma

zward
Path Finder

Here is a sample event

4663:

12/13/2017 12:15:36 PM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4663
    EventType=0
    Type=Information
    ComputerName=SPLUNKPRD01
    TaskCategory=Removable Storage
    OpCode=Info
    RecordNumber=2992047793
    Keywords=Audit Success
    Message=An attempt was made to access an object.

    Subject:
        Security ID:        S-1-5-18
        Account Name:       SPLUNKPRD01$
        Account Domain:     TESTENV
        Logon ID:       0x3E7

    Object:
        Object Server:      Security
        Object Type:        File
        Object Name:        E:\Splunk\datastore\optiv\db\hot_v1_126\Hosts.data
        Handle ID:      0x4b0
        Resource Attributes:
    Process Information:
        Process ID:     0x8e8
        Process Name:       C:\Program Files\Splunk\bin\splunkd.exe

    Access Request Information:
        Accesses:       ReadData (or ListDirectory)

        Access Mask:        0x1

4660

12/13/2017 12:17:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName=SPLUNKPRD01
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=2992128965
Keywords=Audit Success
Message=An object was deleted.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SPLUNKPRD01$
    Account Domain:     TESTENV
    Logon ID:       0x3E7

Object:
    Object Server:  Security
    Handle ID:  0xfe8

Process Information:
    Process ID: 0x688
    Process Name:   C:\Program Files\Splunk\bin\splunkd.exe
    Transaction ID: {00000000-0000-0000-0000-000000000000}
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...