Hello,
I am trying to blacklist EventCode 5152 in inputs.conf. I have tried putting it in a different order in the list below (blacklist, blacklist3, blacklist5), and that didn't work. I have tried with the current message setting as well as typing out the message and that did not help. The other events listed are currently being blocked correctly. My current version of Splunk is 7.0.0. Any help would be appreciated.
From the inputs.conf file:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
blacklist = EventCode="5152" Message="*"
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4932" Message="*"
blacklist4 = EventCode="4933" Message="*"
From Splunk search
11/29/2018 01:44:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5152
EventType=0
Type=Information
ComputerName=XXX.northgrum.com
TaskCategory=Filtering Platform Packet Drop
OpCode=Info
RecordNumber=36423970
Keywords=Audit Failure
Message=The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: XXX
Source Port: 8080
Destination Address: XXX
Destination Port: 64430
Protocol: 6
Filter Information:
Filter Run-Time ID: 70679
Layer Name: Transport
Layer Run-Time ID: 13
EventCode = 5152
host = XXX
source = WinEventLog:Security
sourcetype = WinEventLog:Security
You can try for one Event Code,
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
blacklist1 = 5152
If you have multiple evencodes, you can put blacklist1 = 5152,4662
Let me know if this works.
As per inputs.conf try this:
blacklist1 = EventCode="5152"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist4 = EventCode="4932"
blacklist5 = EventCode="4933"
or simply just:
blacklist1 = 5152,4932,4933
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
I tried as you suggested and it did not work. I then tried with spaces between the commas and with quotes around each number and it did not work. I restarted Splunkd service each time.
Did you deploy this to all of your forwarders and restart the Splunk instances there?
Hi,
I know you ask for blacklist and I see why, but if this is not working for you, did you try sending to nullqueque on the Indexer?
props.conf
[WinEventLog:Security]
{{TRANSFORMS-<name>=<name_in_transforms>
}}
transforms.conf
[<name_in_transforms>]
{{REGEX="EventCode=(4662|4634|4672)"
}}
DEST_KEY=queue
FORMAT=nullQueue
If you want to filter for more than the EventCode number, you can just add to the Regex, but you will need a (?s)
infront, because of the new line characters in wineventlog events ( REGEX="(?s)EventCode=(4662|4634|4672).*Message=[....]
)
Which props.conf file do I modify? There are several on the host machine.
You can set up a knew app for this to include your /local/props.conf and /local/transforms. Then deploy it to your Indexer
Or there is already an app working with WinEventLog:Security, so you could add it there.
Please note that you have to eddit two conf files transforms.conf and props.conf
What is the location of the props.conf and transform.conf files I am to modify? c:\program file\splunk...
My host server is generating 100k of these events every day so I would like to start on this server.
you have to create these files yourself on the indexer ( or on the master and apply a new bundle if you have a cluster)
set up a new app, with a local directory.
Create props.conf and transforms.conf.
Add and eddit the content I postet above and save the files.
Restart splunkd
I created these two files like you requested. I added a |5152 in the transforms.conf file. I placed them in the Splunk\etc folder.
What you mean by setting up a new app with a local directory?
I restarted splunkd and it still was not working.
You propably want to gain some knowledge about apps first before continuing.
Please tell me how your enviroment looks like, do you have a standalone Splunk instance or several with different roles? ( Search Head, Indexer etc.)
In general you will create an app in $SPLUNK_HOME/etc/apps/. Create an new folder in apps with the name of your app. Lets call it "my_first_app".
So we have $SPLUNK_HOME/etc/apps/my_first_app. Next you need to create an "local" directory in my_first_app. So $SPLUNK_HOME/etc/apps/my_first_app/local. Within local you place your transforms and props.conf.
Please post how your conf files look like now. maybe theres an error in there as well.
Before I respond to you questions, I think I have uncovered something.
The blacklisting 'seems' to be working, but not on the events occurring on the host server. Initially, I was just looking at events, but then I realized the events were only coming from one server and that was the host.
Is there something Splunk related I need to do from the host server to keep from this event getting into the index?
Also, as a test, I removed the blacklisting event and I got this event from multiple servers.
How about a tweak in the order of blacklist...
blacklist1 = EventCode="5152" Message="*"
blacklist2 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist4 = EventCode="4932" Message="*"
blacklist5 = EventCode="4933" Message="*"
Moving it to the top was unsuccessful. I tried restarting the service and still did not work.